{ "statistics": { "processing": [ { "name": "CAPE", "time": 0.0 }, { "name": "AnalysisInfo", "time": 0.019 }, { "name": "BehaviorAnalysis", "time": 0.618 }, { "name": "Debug", "time": 0.001 }, { "name": "NetworkAnalysis", "time": 0.0 }, { "name": "UrlAnalysis", "time": 1.689 }, { "name": "script_log_processing", "time": 0.001 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antiemu_wine_func", "time": 0.0 }, { "name": "antisandbox_cuckoo", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "antisandbox_mouse_hook", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_sboxie_objects", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "hardware_id_profiling", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_disk_setupapi", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "antivm_network_adapters", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vbox_window", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "firefox_disables_process_tab", "time": 0.0 }, { "name": "amsi_enumeration", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "suspicious_ntdll_disk_load", "time": 0.0 }, { "name": "direct_syscall_evasion", "time": 0.0 }, { "name": "unbacked_syscall_execution", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "privilege_elevation_check", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "query_fips_reconnaissance", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "debugs_self", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_spdy", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "dllload_suspicious_directory", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "install_kernel_driver_service", "time": 0.0 }, { "name": "malformed_dll_loading", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "registers_vectored_exception_handler", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "infostealer_keylog", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_module_stomping_probing", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "section_mapping_injection", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "apc_injection", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "interprocess_comms_mutex", "time": 0.0 }, { "name": "interprocess_comms_named_pipe", "time": 0.0 }, { "name": "interprocess_comms_shared_memory", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "unbacked_exception_filter", "time": 0.0 }, { "name": "unbacked_process_mitigation_alteration", "time": 0.0 }, { "name": "thread_unbacked_memory", "time": 0.0 }, { "name": "unbacked_api_resolution", "time": 0.0 }, { "name": "unbacked_dotnet_execution", "time": 0.0 }, { "name": "unbacked_library_load", "time": 0.0 }, { "name": "unbacked_memory_apc_execution", "time": 0.0 }, { "name": "unbacked_memory_protection_alteration", "time": 0.0 }, { "name": "unbacked_mutex_creation", "time": 0.0 }, { "name": "unbacked_process_creation", "time": 0.0 }, { "name": "unbacked_veh_registration", "time": 0.0 }, { "name": "unbacked_com_instantiation", "time": 0.0 }, { "name": "unbacked_crypto_operations", "time": 0.0 }, { "name": "unbacked_delay_execution", "time": 0.0 }, { "name": "unbacked_file_dropping", "time": 0.0 }, { "name": "unbacked_process_enumeration", "time": 0.0 }, { "name": "unbacked_registry_modification", "time": 0.0 }, { "name": "unbacked_service_manipulation", "time": 0.0 }, { "name": "unbacked_token_manipulation", "time": 0.0 }, { "name": "unbacked_wmi_execution", "time": 0.0 }, { "name": "unbacked_bind_shell", "time": 0.0 }, { "name": "unbacked_dns_resolution", "time": 0.0 }, { "name": "unbacked_memory_network_connection", "time": 0.0 }, { "name": "unbacked_named_pipe_creation", "time": 0.0 }, { "name": "unbacked_useragent_retrieval", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "etherhiding_smart_contract_call", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "decompress_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "ransomware_iocp_asynchronous_encryption", "time": 0.0 }, { "name": "kernel_crypto_driver_abuse", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_extension_hijack", "time": 0.0 }, { "name": "mass_file_modification_access", "time": 0.0 }, { "name": "ransomware_attribute_stripping", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "mass_ransom_note_drop", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_system_procname", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "deletes_files", "time": 0.0 }, { "name": "drops_files", "time": 0.0 }, { "name": "reads_files", "time": 0.0 }, { "name": "writes_files", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "byod_loldrivers_match", "time": 0.0 }, { "name": "byod_novel_driver", "time": 0.0 }, { "name": "byod_post_load_exploitation", "time": 0.0 }, { "name": "byod_driver_service_install", "time": 0.0 }, { "name": "com_spawned_process", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "pe_deep_entrypoint", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pe_cert_invalid_signature", "time": 0.0 }, { "name": "pe_cert_self_signed", "time": 0.0 }, { "name": "pe_cert_suspicious_issuer", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "sigma_events", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "browser_credential_theft_headless", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.001 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.004 }, { "name": "antianalysis_detectreg", "time": 0.086 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.007 }, { "name": "antiav_detectreg", "time": 0.399 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.007 }, { "name": "antivm_generic_bios", "time": 0.006 }, { "name": "antivm_generic_diskreg", "time": 0.016 }, { "name": "antivm_hyperv_keys", "time": 0.008 }, { "name": "antivm_parallels_keys", "time": 0.024 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.001 }, { "name": "antivm_vbox_files", "time": 0.003 }, { "name": "antivm_vbox_keys", "time": 0.045 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.001 }, { "name": "antivm_vmware_keys", "time": 0.031 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.015 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.023 }, { "name": "ketrican_regkeys", "time": 0.003 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.0 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "executes_headless_browser", "time": 0.0 }, { "name": "suspicious_browser_arguments", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.002 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.008 }, { "name": "checks_uac_status", "time": 0.001 }, { "name": "uac_bypass_cmstpcom", "time": 0.001 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.001 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.0 }, { "name": "disables_browser_warn", "time": 0.0 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.0 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.001 }, { "name": "removes_windows_defender_contextmenu", "time": 0.001 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "folder_enumeration", "time": 0.001 }, { "name": "discover_registry_mount_points", "time": 0.001 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.004 }, { "name": "infostealer_ftp", "time": 0.138 }, { "name": "infostealer_im", "time": 0.078 }, { "name": "infostealer_mail", "time": 0.015 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.009 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.0 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.0 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.0 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.001 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.001 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.002 }, { "name": "ransomware_files", "time": 0.004 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.003 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.132 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.007 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.007 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-05-28 18:01:45", "ended": "2026-05-28 18:03:34", "duration": 109, "id": 13, "category": "url", "custom": "", "machine": { "id": 10, "status": "stopping", "name": "cuckoo1", "label": "cuckoo1", "platform": "windows", "manager": "KVM", "started_on": "2026-05-28 18:01:45", "shutdown_on": "2026-05-28 18:03:34" }, "package": "edge", "timeout": false, "tlp": null, "parent_sample": null, "options": { "interactive": "1", "nohuman": "yes", "vnc_port": "5910" }, "source_url": null, "route": "none", "user_id": 1, "CAPE_current_commit": "e261551257b77d1ae36b689efcf9b3d0af4476c2" }, "behavior": { "processes": [ { "process_id": 4584, "process_name": "explorer.exe", "parent_id": 4556, "module_path": "C:\\Windows\\explorer.exe", "first_seen": "2026-05-28 22:01:50,343", "calls": [ { "timestamp": "2026-05-28 22:01:51,889", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000020d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:01:51,889", "thread_id": "4884", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d623000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:01:51,889", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000020d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-05-28 22:01:51,889", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000020d4" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:01:51,952", "thread_id": "5208", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77beaff0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:01:52,436", "thread_id": "4636", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:01:52,452", "thread_id": "4636", "caller": "0x7ffc62963ec2", "parentcaller": "0x7ffc77b9b8f1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "6C3EE638-B588-4D7D-B30A-E7E36759305D" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "54E4C428-D1D4-47D4-ADE6-46C829114A7D" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:01:52,452", "thread_id": "4636", "caller": "0x7ffc604154ef", "parentcaller": "0x7ffc60415361", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "45BA127D-10A8-46EA-8AB7-56EA9078943C" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "54E4C428-D1D4-47D4-ADE6-46C829114A7D" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:01:52,452", "thread_id": "5208", "caller": "0x7ffc77be9794", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F1C46D71-B791-4110-8D5C-7108F22C1010" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:01:52,452", "thread_id": "5208", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77bb8db3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-05-28 22:01:52,561", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002208" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 10 }, { "timestamp": "2026-05-28 22:01:52,561", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021fc" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-05-28 22:01:52,577", "thread_id": "4636", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77beaff0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-05-28 22:01:52,577", "thread_id": "4636", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-05-28 22:01:52,577", "thread_id": "4636", "caller": "0x7ffc607425a2", "parentcaller": "0x7ffc6045a36f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "6B3B8D23-FA8D-40B9-8DBD-B950333E2C52" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-05-28 22:01:52,593", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002208" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 15 }, { "timestamp": "2026-05-28 22:01:52,593", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002204" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-05-28 22:01:52,593", "thread_id": "2840", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-05-28 22:01:52,593", "thread_id": "2604", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc771046bb", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00001318" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000021f4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-05-28 22:01:52,593", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000020d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-05-28 22:01:52,593", "thread_id": "4884", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d634000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-05-28 22:01:52,593", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000020d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-05-28 22:01:52,608", "thread_id": "4884", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-05-28 22:01:52,608", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 2, "id": 23 }, { "timestamp": "2026-05-28 22:01:52,608", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021e4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4636", "caller": "0x7ffc7604b8ed", "parentcaller": "0x7ffc775d6d18", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000221c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc775dbe80" }, { "name": "Parameter", "value": "0x0256f3f0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4156" }, { "name": "ProcessId", "value": "4584" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4884", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc729fd2de", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04162000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002224" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a7d0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4884", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc729fd2de", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04163000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4884", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc729fd2de", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04165000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4884", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc729fd2de", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x04169000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4884", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc729fd2de", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0416b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "D3D10Warp.dll" }, { "name": "BaseAddress", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 1, "id": 34 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc73f81bd0", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "d3d10warp.dll" }, { "name": "BaseAddress", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5f3e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002224" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\explorer.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d645000" }, { "name": "RegionSize", "value": "0x0000a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d64f000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021e0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\d3d10warp.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc729fa36b", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00002268" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-05-28 22:01:52,639", "thread_id": "4156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc72a19362", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00002294" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-05-28 22:01:52,655", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d654000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-05-28 22:01:52,655", "thread_id": "4156", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc7206e2ba", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0f100000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-05-28 22:01:52,655", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d65a000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-05-28 22:01:52,655", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d66b000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-05-28 22:01:52,655", "thread_id": "4156", "caller": "0x7ffc775cf55f", "parentcaller": "0x7ffc775b705e", "category": "system", "api": "SetWindowsHookExW", "status": true, "return": "0x000103e2", "arguments": [ { "name": "HookIdentifier", "value": "4", "pretty_value": "WH_CALLWNDPROC" }, { "name": "ProcedureAddress", "value": "0x7ffc775cfa40" }, { "name": "ModuleAddress", "value": "0x7ffc775b0000" }, { "name": "ThreadId", "value": "4156" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-05-28 22:01:52,655", "thread_id": "4156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000022b0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0f120000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac60000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9db5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac60000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac60000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac61000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x40000020", "pretty_value": "PAGE_EXECUTE_READ|0x40000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d67c000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d684000" }, { "name": "RegionSize", "value": "0x0006c000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "4156", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0f120000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "4156", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0f130000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "2604", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d6f0000" }, { "name": "RegionSize", "value": "0x0000c000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "2604", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d6fc000" }, { "name": "RegionSize", "value": "0x0000c000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e40000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e50000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac50000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9db5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac50000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac50000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "4156", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e60000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "4884", "caller": "0x7ffc77fded8a", "parentcaller": "0x7ffc77ffdb07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x094ac000" }, { "name": "RegionSize", "value": "0x0000c000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "2604", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e70000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "2604", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e80000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "2604", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac40000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "2604", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9db5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac40000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "2604", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac40000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-05-28 22:01:52,671", "thread_id": "4156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc716a5dbb", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000021e0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000022cc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021e0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e90000" }, { "name": "SectionOffset", "value": "0x0f0febe0" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021e0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10ea0000" }, { "name": "SectionOffset", "value": "0x0f0ff090" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000022cc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10ea0000" }, { "name": "SectionOffset", "value": "0x0f0ff150" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000022cc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10ea0000" }, { "name": "SectionOffset", "value": "0x0f0ff150" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000220c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10ea0000" }, { "name": "SectionOffset", "value": "0x0f0ff2c0" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d708000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000220c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10ea0000" }, { "name": "SectionOffset", "value": "0x0f0ff190" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000220c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10ea0000" }, { "name": "SectionOffset", "value": "0x0f0ff190" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4884", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021dc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10ea0000" }, { "name": "SectionOffset", "value": "0x076ef520" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 81 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d8" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-05-28 22:01:52,686", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d719000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac51000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x40000020", "pretty_value": "PAGE_EXECUTE_READ|0x40000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "2604", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac41000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x40000020", "pretty_value": "PAGE_EXECUTE_READ|0x40000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "2604", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d72a000" }, { "name": "RegionSize", "value": "0x000c9000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "2604", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d7f3000" }, { "name": "RegionSize", "value": "0x00036000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e40000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9ad1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac30000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9db5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac30000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac30000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "2840", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d829000" }, { "name": "RegionSize", "value": "0x000c9000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "5208", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc6e6f9f77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ac31000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x40000020", "pretty_value": "PAGE_EXECUTE_READ|0x40000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "4156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc716a5dbb", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000022c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000021e8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "4156", "caller": "0x7ffc77fded8a", "parentcaller": "0x7ffc77ffdb07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x094be000" }, { "name": "RegionSize", "value": "0x00013000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "4156", "caller": "0x7ffc77fded8a", "parentcaller": "0x7ffc77ffdb07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c4e000" }, { "name": "RegionSize", "value": "0x00014000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "4156", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c63000" }, { "name": "RegionSize", "value": "0x0001b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "4636", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "SHELL32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-05-28 22:01:52,702", "thread_id": "4636", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc738a58d4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc716a5dbb", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000022d4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000022d8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "5208", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d8f2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4636", "caller": "0x7ffc5e6cb952", "parentcaller": "0x7ffc5e6e5ddb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D25D8842-8884-4A4A-B321-091314379BDD" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "D8B6F7D4-4109-4D3F-ACEE-879926968CB1" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4636", "caller": "0x7ffc5e6cb995", "parentcaller": "0x7ffc5e6e5ddb", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "812F944A-C5C8-4CD9-B0A6-B3DA802F228D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "03CFAE53-9580-4EE3-B363-2ECE51B4AF6A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4636", "caller": "0x7ffc5e6cb952", "parentcaller": "0x7ffc5e6e5e53", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D25D8842-8884-4A4A-B321-091314379BDD" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "D8B6F7D4-4109-4D3F-ACEE-879926968CB1" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4636", "caller": "0x7ffc5e6cb995", "parentcaller": "0x7ffc5e6e5e53", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "812F944A-C5C8-4CD9-B0A6-B3DA802F228D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "03CFAE53-9580-4EE3-B363-2ECE51B4AF6A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4640", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000022e0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "SectionOffset", "value": "0x0277f750" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4640", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d8f4000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-05-28 22:01:52,718", "thread_id": "4640", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000022e8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "SectionOffset", "value": "0x0277f6f0" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-05-28 22:01:53,889", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022d4" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-05-28 22:01:53,905", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021c8" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-05-28 22:01:53,921", "thread_id": "6712", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000022ec" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-05-28 22:01:53,921", "thread_id": "6712", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000022e8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-05-28 22:01:53,952", "thread_id": "2604", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-05-28 22:01:53,952", "thread_id": "4636", "caller": "0x7ff65e0b8fba", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-05-28 22:01:53,952", "thread_id": "4636", "caller": "0x7ff65e0b8fba", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000404", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-05-28 22:01:53,952", "thread_id": "4804", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 117 }, { "timestamp": "2026-05-28 22:01:53,968", "thread_id": "4668", "caller": "0x7ff65e045f02", "parentcaller": "0x7ff65e045e20", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022f4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\explorerframe.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-05-28 22:01:53,968", "thread_id": "4668", "caller": "0x7ff65e045f02", "parentcaller": "0x7ff65e045e20", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000022f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e40000" }, { "name": "SectionOffset", "value": "0x02a9dbb0" }, { "name": "ViewSize", "value": "0x00007000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-05-28 22:01:53,968", "thread_id": "4884", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-05-28 22:01:53,968", "thread_id": "4668", "caller": "0x7ff65e220528", "parentcaller": "0x7ff65e1d9f49", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-05-28 22:01:53,968", "thread_id": "4668", "caller": "0x7ff65e220528", "parentcaller": "0x7ff65e1d9f49", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "228826AF-02E1-4226-A9E0-99A855E455A6" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "9767060C-9476-42E2-8F7B-2F10FD13765C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-05-28 22:01:53,983", "thread_id": "4884", "caller": "0x7ffc5f3638c2", "parentcaller": "0x7ffc5f35f6c0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "78317482-5B49-4093-9C34-2758FC63BEF0" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "AD5638D2-B769-4221-AA2F-D74E6AD42C24" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-05-28 22:01:53,983", "thread_id": "4668", "caller": "0x7ff65e045f02", "parentcaller": "0x7ff65e045e20", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0ef82000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-05-28 22:01:54,311", "thread_id": "2604", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc780416e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002314" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-05-28 22:01:54,608", "thread_id": "4668", "caller": "0x7ff65e045f02", "parentcaller": "0x7ff65e045e20", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\dwmapi.dll" }, { "name": "BaseAddress", "value": "0x7ffc73480000" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-05-28 22:01:54,624", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d8" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-05-28 22:01:56,686", "thread_id": "6892", "caller": "0x7ffc738a4fbc", "parentcaller": "0x7ffc7389f4db", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-05-28 22:01:56,686", "thread_id": "6892", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00002310" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc728fd21a", "parentcaller": "0x7ffc738b3235", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "76765B11-3F95-4AF2-AC9D-EA55D8994F1A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc77b9f303", "parentcaller": "0x7ffc77b9e7f3", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc738a4fbc", "parentcaller": "0x7ffc7389f4db", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc766d7b67", "parentcaller": "0x7ffc766d7add", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "79EAC9EE-BAF9-11CE-8C82-00AA004BA90B" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-05-28 22:01:56,702", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc7572c32f", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00120080", "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6bcf", "parentcaller": "0x7ffc756e6f7c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 2, "id": 138 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5cb3", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileHandle", "value": "0x00020010" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6bcf", "parentcaller": "0x7ffc756e6f7c", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc00000ba", "pretty_return": "FILE_IS_A_DIRECTORY", "arguments": [ { "name": "FileHandle", "value": "0x7ffc767e207c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5cb3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6c28", "parentcaller": "0x7ffc756e6f7c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 1, "id": 142 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5cb3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6bcf", "parentcaller": "0x7ffc756e6f7c", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc00000ba", "pretty_return": "FILE_IS_A_DIRECTORY", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5cb3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6c28", "parentcaller": "0x7ffc756e6f7c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 1, "id": 146 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5cb3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e4d82", "parentcaller": "0x7ffc756e70c7", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e4f8e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e4d82", "parentcaller": "0x7ffc756e693c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e4f8e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002308" }, { "name": "DesiredAccess", "value": "0x00120080", "pretty_value": "FILE_READ_ATTRIBUTES|READ_CONTROL|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\Volume{528c102f-0000-0000-0000-300300000000}" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc6a475ccf", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xffffffff" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00002308" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc6a476ced", "parentcaller": "0x7ffc6a47816c", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "A463FCB9-6B1C-4E0D-A80B-A2CA7999E25D" }, { "name": "ClsContext", "value": "0x00100004", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_ENABLE_CLOAKING" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d907000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc76791e0e", "parentcaller": "0x7ffc7677992c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CDC82860-468D-4D4E-B7E7-C298FF23AB2C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "5632B1A4-E38A-400A-928A-D4CD63230295" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7385574b", "parentcaller": "0x7ffc738550a2", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F1C46D71-B791-4110-8D5C-7108F22C1010" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8A43ED9F-F4E6-4421-ACF9-1DAB2986820C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc738a58d4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc7572c32f", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc775d6fcb", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00002334" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000233c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e7786", "parentcaller": "0x7ffc756e5630", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00002344" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7801bb2a", "parentcaller": "0x7ffc7801b99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskmgr.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7801bbcc", "parentcaller": "0x7ffc7801b99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002344" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "SectionOffset", "value": "0x11f5c610" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7803a871", "parentcaller": "0x7ffc756dad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "RegionSize", "value": "0x0000f000" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756dad9e", "parentcaller": "0x7ffc756dbfbf", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e7786", "parentcaller": "0x7ffc756e5630", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00002344" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7801bb2a", "parentcaller": "0x7ffc7801b99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskmgr.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7801bbcc", "parentcaller": "0x7ffc7801b99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002344" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "SectionOffset", "value": "0x11f5c600" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7803a871", "parentcaller": "0x7ffc756dad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10e30000" }, { "name": "RegionSize", "value": "0x0000f000" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756dad9e", "parentcaller": "0x7ffc756db638", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e7786", "parentcaller": "0x7ffc756e5630", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00002344" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756dad9e", "parentcaller": "0x7ffc756dbfbf", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756e7786", "parentcaller": "0x7ffc756e5630", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00002344" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc756dad9e", "parentcaller": "0x7ffc756db638", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11f60000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7385515a", "parentcaller": "0x7ffc73851038", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "21CBC515-2DDE-4D66-8292-BA34BD25094A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "2604", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "4636", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "4636", "caller": "0x7ffc73969aa2", "parentcaller": "0x7ffc7396ac92", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-05-28 22:01:56,718", "thread_id": "6892", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc75709666", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00002338" }, { "name": "ThreadHandle", "value": "0x00002340" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\taskmgr.exe" }, { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\taskmgr.exe\" /4" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc75709666", "parentcaller": "0x7ffc7604cec4", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Windows\\system32\\taskmgr.exe" }, { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\taskmgr.exe\" /4" }, { "name": "CreationFlags", "value": "0x04080414", "pretty_value": "CREATE_SUSPENDED|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT|CREATE_DEFAULT_ERROR_MODE" }, { "name": "ProcessId", "value": "7912" }, { "name": "ThreadId", "value": "1496" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00002338" }, { "name": "ThreadHandle", "value": "0x00002340" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802fa80", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\pcacli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000233c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc66d50000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00016000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802f7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002334" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mpr.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000233c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc64ec0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0001d000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\MPR" }, { "name": "DllBase", "value": "0x7ffc64ec0000" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\pcacli" }, { "name": "DllBase", "value": "0x7ffc66d50000" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc66d5264d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc66d5170e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\sfc_os" }, { "name": "DllBase", "value": "0x7ffc630f0000" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc66d5170e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\sfc_os.dll" }, { "name": "BaseAddress", "value": "0x7ffc630f0000" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc630f1284", "parentcaller": "0x7ffc630f113e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002180" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\FileMaps\\$$_system32_21f9a9c4a2f8b514.cdf-ms" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc630f13fd", "parentcaller": "0x7ffc630f12af", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000217c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ab70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000b7000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d90a000" }, { "name": "RegionSize", "value": "0x00029000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d933000" }, { "name": "RegionSize", "value": "0x0000d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-05-28 22:01:56,749", "thread_id": "6892", "caller": "0x7ffc630f14f9", "parentcaller": "0x7ffc630f11ec", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47ab70000" }, { "name": "RegionSize", "value": "0x000b7000" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-05-28 22:01:56,764", "thread_id": "6892", "caller": "0x7ffc7572f430", "parentcaller": "0x7ffc73902a9b", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00002340" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "1496" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-05-28 22:01:56,764", "thread_id": "6892", "caller": "0x7ffc77b9f303", "parentcaller": "0x7ffc77b9e7f3", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-05-28 22:01:56,764", "thread_id": "4668", "caller": "0x7ff65e0a9aa2", "parentcaller": "0x7ff65e220a68", "category": "process", "api": "ShellExecuteExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "FilePath", "value": "%SystemRoot%\\system32\\taskmgr.exe" }, { "name": "Parameters", "value": "/4" }, { "name": "Show", "value": "1", "pretty_value": "SW_SHOWNORMAL" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-05-28 22:01:57,249", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022c8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-05-28 22:01:57,249", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022c8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-05-28 22:01:57,249", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022c8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-05-28 22:01:57,358", "thread_id": "4884", "caller": "0x7ffc6085e757", "parentcaller": "0x7ffc6050686e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-05-28 22:01:57,358", "thread_id": "4884", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021c0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-05-28 22:01:57,358", "thread_id": "4884", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021c0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-05-28 22:01:57,358", "thread_id": "4884", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021c0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4884", "caller": "0x7ffc6299c07b", "parentcaller": "0x7ffc6299c564", "category": "com", "api": "CoCreateInstance", "status": false, "return": "0xffffffff8001010d", "arguments": [ { "name": "rclsid", "value": "3480A401-BDE9-4407-BC02-798A866AC051" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "0F4ACCB1-D8F9-4011-BA37-2557925A78CF" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4884", "caller": "0x7ffc6299c12b", "parentcaller": "0x7ffc6299c564", "category": "com", "api": "CoCreateInstance", "status": false, "return": "0xffffffff8001010d", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4668", "caller": "0x7ff65e07b354", "parentcaller": "0x7ff65e07b12e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002314" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000236c" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4640", "caller": "0x7ff65e03ca89", "parentcaller": "0x7ff65e03c93f", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002024" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\apppatch\\sysmain.sdb" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4640", "caller": "0x7ff65e03c67f", "parentcaller": "0x7ff65e03c407", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47a840000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x003e3000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022d8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022d8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000022d8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4884", "caller": "0x7ffc7604b8ed", "parentcaller": "0x7ffc775c5341", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000020d4", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x040bd3b0" }, { "name": "CreationFlags", "value": "0x00000004" }, { "name": "ThreadId", "value": "1096" }, { "name": "ProcessId", "value": "4584" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-05-28 22:01:57,389", "thread_id": "4884", "caller": "0x7ffc7572f430", "parentcaller": "0x7ffc775c5379", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000020d4" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "1096" }, { "name": "ProcessId", "value": "4584" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4640", "caller": "0x7ff65e03a878", "parentcaller": "0x7ff65e03a7ba", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47a840000" }, { "name": "RegionSize", "value": "0x003e3000" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4628", "caller": "0x7ffc75703013", "parentcaller": "0x7ffc5e83672b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001850" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0P\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e0799ca", "parentcaller": "0x7ff65e07a869", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e07bdd2", "parentcaller": "0x7ff65e07a52a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e07bdd2", "parentcaller": "0x7ff65e07a52a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002024" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e07bdd2", "parentcaller": "0x7ff65e07a52a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002024" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e07a552", "parentcaller": "0x7ff65e079a4f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e07a552", "parentcaller": "0x7ff65e079a4f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002024" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e07a552", "parentcaller": "0x7ff65e079a4f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002024" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "2604", "caller": "0x7ff65e07a552", "parentcaller": "0x7ff65e079a4f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002024" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e078f2b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e078f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e078f2b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-05-28 22:01:57,405", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e078f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-05-28 22:01:57,421", "thread_id": "3452", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 240 }, { "timestamp": "2026-05-28 22:01:57,421", "thread_id": "1096", "caller": "0x7ffc5d634428", "parentcaller": "0x7ffc5d633a03", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F0AE1542-F497-484B-A175-A20DB09144BA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8DC24A1A-6314-4769-9D68-179786F4CED6" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-05-28 22:01:57,421", "thread_id": "3452", "caller": "0x7ffc756e9dd2", "parentcaller": "0x7ffc73849e99", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000035", "pretty_return": "OBJECT_NAME_COLLISION", "arguments": [ { "name": "FileHandle", "value": "0x4574f454d" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-05-28 22:01:57,421", "thread_id": "1096", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc738a58d4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-05-28 22:01:57,421", "thread_id": "1096", "caller": "0x7ffc738a5882", "parentcaller": "0x7ffc738a8f55", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-05-28 22:01:57,421", "thread_id": "1096", "caller": "0x7ffc610f58e1", "parentcaller": "0x7ffc610f5ef1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-05-28 22:01:57,421", "thread_id": "1096", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000021b0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002368" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002368" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002368" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002364" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-05-28 22:01:57,468", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-05-28 22:01:57,483", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-05-28 22:01:57,499", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002364" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002360" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e09a1eb", "parentcaller": "0x7ff65e0aef5d", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00129000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00129000" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e07c21a", "parentcaller": "0x7ff65e062b6f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "21CBC515-2DDE-4D66-8292-BA34BD25094A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e07c285", "parentcaller": "0x7ff65e062b6f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e07c285", "parentcaller": "0x7ff65e062b6f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e07c285", "parentcaller": "0x7ff65e062b6f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e07c285", "parentcaller": "0x7ff65e062b6f", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e0a1e2d", "parentcaller": "0x7ff65e05c798", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 1, "id": 330 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05dd72", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002368" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05dd72", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002368" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05dd72", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002368" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000021d0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00002368" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000021ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Taskmgr.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a690000" }, { "name": "SectionOffset", "value": "0x02a97eb0" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a690000" }, { "name": "RegionSize", "value": "0x0000f000" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000021ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Taskmgr.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a690000" }, { "name": "SectionOffset", "value": "0x02a97ea0" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0a690000" }, { "name": "RegionSize", "value": "0x0000f000" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000021ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000021d0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000021ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00130000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e05ddb7", "parentcaller": "0x7ff65e05c5b7", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x11fa0000" }, { "name": "RegionSize", "value": "0x00130000" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-05-28 22:01:57,514", "thread_id": "4668", "caller": "0x7ff65e01afc1", "parentcaller": "0x7ff65e05de65", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-05-28 22:01:57,530", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-05-28 22:01:57,530", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-05-28 22:01:57,561", "thread_id": "4668", "caller": "0x7ff65e089973", "parentcaller": "0x7ff65e0897dc", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-05-28 22:02:00,686", "thread_id": "4928", "caller": "0x7ffc77b9f303", "parentcaller": "0x7ffc77b9e7f3", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 360 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4668", "caller": "0x7ff65e07b354", "parentcaller": "0x7ff65e07b12e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "2604", "caller": "0x7ff65e0799ca", "parentcaller": "0x7ff65e07a869", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 362 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e078f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000be0" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c0c" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-05-28 22:02:02,358", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c48" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-05-28 22:02:02,389", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-05-28 22:02:02,389", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-05-28 22:02:02,405", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-05-28 22:02:02,405", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-05-28 22:02:02,405", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-05-28 22:02:02,405", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-05-28 22:02:02,421", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-05-28 22:02:02,421", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-05-28 22:02:02,421", "thread_id": "4812", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc780416e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000be0" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-05-28 22:02:02,421", "thread_id": "4636", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-05-28 22:02:02,436", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-05-28 22:02:02,436", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-05-28 22:02:02,452", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-05-28 22:02:02,452", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-05-28 22:02:02,452", "thread_id": "4636", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 386 }, { "timestamp": "2026-05-28 22:02:02,468", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-05-28 22:02:02,468", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-05-28 22:02:02,483", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-05-28 22:02:02,483", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-05-28 22:02:02,499", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-05-28 22:02:02,499", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-05-28 22:02:02,514", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-05-28 22:02:02,514", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-05-28 22:02:02,530", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-05-28 22:02:02,530", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5208", "caller": "0x7ff65e079d10", "parentcaller": "0x7ff65e079c74", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d24" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d24" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5208", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d24" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d24" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d24" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-05-28 22:02:02,546", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d24" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000be0" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c50" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "3452", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 409 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "4804", "caller": "0x7ffc5d634428", "parentcaller": "0x7ffc5d633a03", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F0AE1542-F497-484B-A175-A20DB09144BA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8DC24A1A-6314-4769-9D68-179786F4CED6" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "3452", "caller": "0x7ffc756e9dd2", "parentcaller": "0x7ffc73849e99", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000035", "pretty_return": "OBJECT_NAME_COLLISION", "arguments": [ { "name": "FileHandle", "value": "0x4574f454d" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "4804", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc738a58d4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "4804", "caller": "0x7ffc738a5882", "parentcaller": "0x7ffc738a8f55", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-05-28 22:02:02,561", "thread_id": "4804", "caller": "0x7ffc610f58e1", "parentcaller": "0x7ffc610f5ef1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-05-28 22:02:02,577", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-05-28 22:02:02,577", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-05-28 22:02:02,593", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-05-28 22:02:02,593", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-05-28 22:02:02,608", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-05-28 22:02:02,608", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-05-28 22:02:02,639", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-05-28 22:02:02,639", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-05-28 22:02:02,671", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-05-28 22:02:02,671", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 1, "id": 424 }, { "timestamp": "2026-05-28 22:02:02,718", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c48" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4804", "caller": "0x7ff65e03ca89", "parentcaller": "0x7ff65e03c93f", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c0c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\apppatch\\sysmain.sdb" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4804", "caller": "0x7ff65e03c67f", "parentcaller": "0x7ff65e03c407", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000d90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47a840000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x003e3000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4804", "caller": "0x7ff65e03a878", "parentcaller": "0x7ff65e03a7ba", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7df47a840000" }, { "name": "RegionSize", "value": "0x003e3000" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "2604", "caller": "0x7ff65e0799ca", "parentcaller": "0x7ff65e07a869", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "2604", "caller": "0x7ff65e07bdd2", "parentcaller": "0x7ff65e07a52a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "2604", "caller": "0x7ff65e07bdd2", "parentcaller": "0x7ff65e07a52a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "2604", "caller": "0x7ff65e07a552", "parentcaller": "0x7ff65e079a4f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e078f2b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e078f2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-05-28 22:02:02,733", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-05-28 22:02:02,749", "thread_id": "4644", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c50" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-05-28 22:02:02,749", "thread_id": "4644", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000d28" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x087a0000" }, { "name": "SectionOffset", "value": "0x027fd5b0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-05-28 22:02:02,749", "thread_id": "4884", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 441 }, { "timestamp": "2026-05-28 22:02:06,624", "thread_id": "4812", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-05-28 22:02:06,624", "thread_id": "4812", "caller": "0x7ffc5d4d8258", "parentcaller": "0x7ffc5d4d88d7", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-05-28 22:02:06,624", "thread_id": "4812", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000d24" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x08790000" }, { "name": "SectionOffset", "value": "0x077ff2c0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-05-28 22:02:06,624", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d50" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-05-28 22:02:06,624", "thread_id": "4812", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000d50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x08790000" }, { "name": "SectionOffset", "value": "0x077ff060" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-05-28 22:02:06,624", "thread_id": "4844", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000c50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x08790000" }, { "name": "SectionOffset", "value": "0x074ed3d0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-05-28 22:02:06,624", "thread_id": "4844", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77bb8db3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-05-28 22:02:06,639", "thread_id": "4928", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000c50" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-05-28 22:02:06,639", "thread_id": "4844", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-05-28 22:02:07,468", "thread_id": "4844", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc780416e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002038" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-05-28 22:02:08,483", "thread_id": "4844", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-05-28 22:02:08,483", "thread_id": "3452", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 453 }, { "timestamp": "2026-05-28 22:02:08,483", "thread_id": "4636", "caller": "0x7ffc5d634428", "parentcaller": "0x7ffc5d633a03", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F0AE1542-F497-484B-A175-A20DB09144BA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8DC24A1A-6314-4769-9D68-179786F4CED6" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-05-28 22:02:08,483", "thread_id": "3452", "caller": "0x7ffc756e9dd2", "parentcaller": "0x7ffc73849e99", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000035", "pretty_return": "OBJECT_NAME_COLLISION", "arguments": [ { "name": "FileHandle", "value": "0x4574f454d" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-05-28 22:02:08,483", "thread_id": "4684", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc775bf034", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000bf8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000c4c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-05-28 22:02:08,483", "thread_id": "4684", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000c4c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x08790000" }, { "name": "SectionOffset", "value": "0x06a9f4b0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 457 }, { "timestamp": "2026-05-28 22:02:08,483", "thread_id": "4684", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc775bf034", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000bf8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000bf8" }, { "name": "Options", "value": "0x00000003" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-05-28 22:02:10,202", "thread_id": "4932", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000021ec" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-05-28 22:02:10,421", "thread_id": "4684", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc775bf034", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000bf8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000c4c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-05-28 22:02:10,421", "thread_id": "4684", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000c4c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x08790000" }, { "name": "SectionOffset", "value": "0x06a9f3f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 461 }, { "timestamp": "2026-05-28 22:02:10,530", "thread_id": "4932", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-05-28 22:02:10,530", "thread_id": "4844", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000021f4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x08790000" }, { "name": "SectionOffset", "value": "0x074ed3d0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-05-28 22:02:10,530", "thread_id": "4844", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77bb8db3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-05-28 22:02:10,530", "thread_id": "4844", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c232", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000bfc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x08790000" }, { "name": "SectionOffset", "value": "0x074eeaf0" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-05-28 22:02:10,530", "thread_id": "4844", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CCC63AE1-56A5-4F9C-ABE8-E55674F0C0A6" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-05-28 22:02:10,530", "thread_id": "4644", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DA620430-5F6C-447D-8091-C5757E275B37" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-05-28 22:02:10,530", "thread_id": "4644", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc775d319a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "7BCE3CFB-954C-438F-974C-73A8E0593F1A" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-05-28 22:02:10,546", "thread_id": "4644", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77beaff0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000352-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-05-28 22:02:10,546", "thread_id": "4644", "caller": "0x7ffc737b083e", "parentcaller": "0x7ffc737b072b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-05-28 22:02:10,546", "thread_id": "4844", "caller": "0x7ffc76044db6", "parentcaller": "0x7ffc76043b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000bf8" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\twinui.pcshell.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-05-28 22:02:10,546", "thread_id": "4844", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc605322b4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 1, "id": 472 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e127be7", "parentcaller": "0x7ff65e124fa0", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c38" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-LIGHT.svg" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127dd7", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c38" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-LIGHT.svg" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127dd7", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000c38" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-LIGHT.svg" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 475 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127dd7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x094ed000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e127e2d", "parentcaller": "0x7ff65e124fa0", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002dc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-DARK.svg" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002dc" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-DARK.svg" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002dc" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-DARK.svg" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 479 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c7e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c81000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c84000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c87000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c8a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c8d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c90000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c93000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12c53a", "parentcaller": "0x7ff65e127e74", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c98000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c9d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c9f000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09ca1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09ca3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d940000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d949000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09ca6000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d94e000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09ca9000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d953000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09cac000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d95c000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d96d000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09caf000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09cb2000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d976000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09cb5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d97f000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d988000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d9cb000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d9dc000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09cb8000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09cbb000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d9e5000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-05-28 22:02:10,624", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0d9ee000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0da31000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09cbe000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e12de16", "parentcaller": "0x7ff65e12c0ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09cc3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e08984c", "parentcaller": "0x7ff65e0897dc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x094ed000" }, { "name": "RegionSize", "value": "0x0000e000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e08984c", "parentcaller": "0x7ff65e0897dc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09500000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e08984c", "parentcaller": "0x7ff65e0897dc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c82000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e08984c", "parentcaller": "0x7ff65e0897dc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c87000" }, { "name": "RegionSize", "value": "0x00017000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e08984c", "parentcaller": "0x7ff65e0897dc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0da42000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e08984c", "parentcaller": "0x7ff65e0897dc", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000ad0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000ef4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4668", "caller": "0x7ff65e08984c", "parentcaller": "0x7ff65e0897dc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0da4b000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-05-28 22:02:10,639", "thread_id": "4844", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0af40000" }, { "name": "RegionSize", "value": "0x000c9000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-05-28 22:02:13,452", "thread_id": "4668", "caller": "0x7ff65e05652c", "parentcaller": "0x7ff65e055d54", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 13, "id": 525 }, { "timestamp": "2026-05-28 22:02:13,452", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000bfc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSSO.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-05-28 22:02:13,452", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000c38" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x087c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000eb000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-05-28 22:02:13,452", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x087c0000" }, { "name": "RegionSize", "value": "0x000eb000" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-05-28 22:02:14,843", "thread_id": "2604", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 529 }, { "timestamp": "2026-05-28 22:02:14,905", "thread_id": "4920", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000e8c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-05-28 22:02:15,749", "thread_id": "2604", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc780416e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000d34" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-05-28 22:02:34,249", "thread_id": "2840", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc780416e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a18" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-05-28 22:02:37,983", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-05-28 22:02:37,983", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-05-28 22:02:37,983", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-05-28 22:02:37,983", "thread_id": "4884", "caller": "0x7ffc77fded8a", "parentcaller": "0x7ffc77ffdb07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0947b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-05-28 22:02:37,983", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a50" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-05-28 22:02:37,983", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-05-28 22:02:37,983", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-05-28 22:02:37,999", "thread_id": "4804", "caller": "0x7ff65e079d10", "parentcaller": "0x7ff65e079c74", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-05-28 22:02:37,999", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-05-28 22:02:37,999", "thread_id": "4640", "caller": "0x7ffc77fded8a", "parentcaller": "0x7ffc77ffdb07", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x09c7b000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-05-28 22:02:37,999", "thread_id": "4640", "caller": "0x7ffc75703013", "parentcaller": "0x7ffc5e83672b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001850" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x0c\\xaf\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-05-28 22:02:37,999", "thread_id": "4884", "caller": "0x7ffc7604b8ed", "parentcaller": "0x7ffc775c5341", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000032c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x040bdd50" }, { "name": "CreationFlags", "value": "0x00000004" }, { "name": "ThreadId", "value": "10780" }, { "name": "ProcessId", "value": "4584" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-05-28 22:02:37,999", "thread_id": "4884", "caller": "0x7ffc7572f430", "parentcaller": "0x7ffc775c5379", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000032c" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "10780" }, { "name": "ProcessId", "value": "4584" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-05-28 22:02:38,014", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-05-28 22:02:38,014", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-05-28 22:02:38,046", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-05-28 22:02:38,046", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-05-28 22:02:38,046", "thread_id": "10780", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000022c8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-05-28 22:02:38,061", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-05-28 22:02:38,061", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-05-28 22:02:38,093", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-05-28 22:02:38,093", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-05-28 22:02:38,280", "thread_id": "3452", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 555 }, { "timestamp": "2026-05-28 22:02:38,280", "thread_id": "4636", "caller": "0x7ffc5d634428", "parentcaller": "0x7ffc5d633a03", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F0AE1542-F497-484B-A175-A20DB09144BA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8DC24A1A-6314-4769-9D68-179786F4CED6" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-05-28 22:02:38,280", "thread_id": "3452", "caller": "0x7ffc756e9dd2", "parentcaller": "0x7ffc73849e99", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000035", "pretty_return": "OBJECT_NAME_COLLISION", "arguments": [ { "name": "FileHandle", "value": "0x4574f454d" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-05-28 22:02:38,280", "thread_id": "4636", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc738a58d4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-05-28 22:02:38,280", "thread_id": "4636", "caller": "0x7ffc738a5882", "parentcaller": "0x7ffc738a8f55", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-05-28 22:02:38,280", "thread_id": "4636", "caller": "0x7ffc610f58e1", "parentcaller": "0x7ffc610f5ef1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-05-28 22:02:38,343", "thread_id": "4640", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 561 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed88a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a4c" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001264" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a44" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4804", "caller": "0x7ff65e079d10", "parentcaller": "0x7ff65e079c74", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a04" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a04" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-05-28 22:02:39,358", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a04" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-05-28 22:02:39,374", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a4c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-05-28 22:02:39,374", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a4c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-05-28 22:02:39,389", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a4c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-05-28 22:02:39,405", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-05-28 22:02:39,405", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-05-28 22:02:39,421", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-05-28 22:02:39,421", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-05-28 22:02:39,436", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-05-28 22:02:39,436", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "4624", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "4884", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "4884", "caller": "0x7ffc5d4d8258", "parentcaller": "0x7ffc5d4d8824", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "3452", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 584 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "10780", "caller": "0x7ffc5d634428", "parentcaller": "0x7ffc5d633a03", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F0AE1542-F497-484B-A175-A20DB09144BA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8DC24A1A-6314-4769-9D68-179786F4CED6" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "3452", "caller": "0x7ffc756e9dd2", "parentcaller": "0x7ffc73849e99", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000035", "pretty_return": "OBJECT_NAME_COLLISION", "arguments": [ { "name": "FileHandle", "value": "0x4574f454d" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "10780", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc738a58d4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "10780", "caller": "0x7ffc738a5882", "parentcaller": "0x7ffc738a8f55", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "10780", "caller": "0x7ffc610f58e1", "parentcaller": "0x7ffc610f5ef1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-05-28 22:02:39,452", "thread_id": "10780", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00001a4c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-05-28 22:02:39,468", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-05-28 22:02:39,468", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-05-28 22:02:39,577", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-05-28 22:02:39,577", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-05-28 22:02:39,577", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-05-28 22:02:39,577", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-05-28 22:02:39,593", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-05-28 22:02:39,593", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-05-28 22:02:39,593", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-05-28 22:02:39,593", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-05-28 22:02:39,608", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-05-28 22:02:39,608", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-05-28 22:02:39,608", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-05-28 22:02:39,608", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-05-28 22:02:39,639", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-05-28 22:02:39,639", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-05-28 22:02:39,639", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-05-28 22:02:39,639", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-05-28 22:02:39,655", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-05-28 22:02:39,655", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-05-28 22:02:39,655", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-05-28 22:02:39,655", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-05-28 22:02:39,686", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-05-28 22:02:39,686", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-05-28 22:02:39,686", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-05-28 22:02:39,686", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-05-28 22:02:39,702", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-05-28 22:02:39,702", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-05-28 22:02:39,702", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-05-28 22:02:39,702", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-05-28 22:02:39,733", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-05-28 22:02:39,733", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-05-28 22:02:39,733", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-05-28 22:02:39,733", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-05-28 22:02:39,749", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-05-28 22:02:39,749", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-05-28 22:02:39,749", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-05-28 22:02:39,749", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-05-28 22:02:39,764", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-05-28 22:02:39,764", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-05-28 22:02:39,764", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-05-28 22:02:39,764", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-05-28 22:02:39,780", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-05-28 22:02:39,780", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-05-28 22:02:39,780", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-05-28 22:02:39,780", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-05-28 22:02:39,796", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-05-28 22:02:39,796", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-05-28 22:02:39,796", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-05-28 22:02:39,796", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-05-28 22:02:39,811", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-05-28 22:02:39,811", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-05-28 22:02:39,811", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-05-28 22:02:39,811", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-05-28 22:02:39,843", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-05-28 22:02:39,843", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-05-28 22:02:39,843", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-05-28 22:02:39,843", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-05-28 22:02:40,249", "thread_id": "4684", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc775bf034", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00001264" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000e4c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-05-28 22:02:40,249", "thread_id": "4684", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000e4c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x028b0000" }, { "name": "SectionOffset", "value": "0x06a9f3f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 1, "id": 650 }, { "timestamp": "2026-05-28 22:02:40,483", "thread_id": "4668", "caller": "0x7ff65e05652c", "parentcaller": "0x7ff65e055d54", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 13, "id": 651 }, { "timestamp": "2026-05-28 22:02:40,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000e4c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSSO.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-05-28 22:02:40,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001a18" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x087c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000eb000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-05-28 22:02:40,483", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x087c0000" }, { "name": "RegionSize", "value": "0x000eb000" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-05-28 22:02:40,577", "thread_id": "4628", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 655 }, { "timestamp": "2026-05-28 22:02:40,764", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-05-28 22:02:40,764", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-05-28 22:02:40,764", "thread_id": "4804", "caller": "0x7ff65e079d10", "parentcaller": "0x7ff65e079c74", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-05-28 22:02:40,764", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-05-28 22:02:40,764", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001264" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-05-28 22:02:40,764", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002310" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-05-28 22:02:40,780", "thread_id": "4640", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-05-28 22:02:40,796", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-05-28 22:02:40,796", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-05-28 22:02:40,811", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-05-28 22:02:40,811", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "5020", "caller": "0x7ffc756dfcb5", "parentcaller": "0x7ffc75725984", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "4804", "caller": "0x7ff65e079d10", "parentcaller": "0x7ff65e079c74", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002310" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002310" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-05-28 22:02:40,827", "thread_id": "4804", "caller": "0x7ff65e079d60", "parentcaller": "0x7ff65e079c74", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002310" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-05-28 22:02:40,843", "thread_id": "4884", "caller": "0x7ffc5e7ed59f", "parentcaller": "0x7ffc5e82c80c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002314" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-05-28 22:02:40,843", "thread_id": "4884", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc5e7ed62c", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001a38" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-05-28 22:02:40,843", "thread_id": "3452", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000344-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 677 }, { "timestamp": "2026-05-28 22:02:40,843", "thread_id": "4640", "caller": "0x7ffc5d634428", "parentcaller": "0x7ffc5d633a03", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "F0AE1542-F497-484B-A175-A20DB09144BA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8DC24A1A-6314-4769-9D68-179786F4CED6" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-05-28 22:02:40,843", "thread_id": "3452", "caller": "0x7ffc756e9dd2", "parentcaller": "0x7ffc73849e99", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000035", "pretty_return": "OBJECT_NAME_COLLISION", "arguments": [ { "name": "FileHandle", "value": "0x4574f454d" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-05-28 22:02:40,843", "thread_id": "4640", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc738a58d4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-05-28 22:02:40,858", "thread_id": "4640", "caller": "0x7ffc738a5882", "parentcaller": "0x7ffc738a8f55", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-05-28 22:02:40,858", "thread_id": "4640", "caller": "0x7ffc610f58e1", "parentcaller": "0x7ffc610f5ef1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-05-28 22:02:40,999", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-05-28 22:02:40,999", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-05-28 22:02:41,014", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-05-28 22:02:41,014", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-05-28 22:02:41,030", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-05-28 22:02:41,030", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-05-28 22:02:41,046", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-05-28 22:02:41,046", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-05-28 22:02:41,061", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-05-28 22:02:41,061", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-05-28 22:02:41,077", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-05-28 22:02:41,077", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-05-28 22:02:41,093", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-05-28 22:02:41,093", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-05-28 22:02:41,108", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-05-28 22:02:41,108", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-05-28 22:02:41,124", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-05-28 22:02:41,124", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-05-28 22:02:41,139", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-05-28 22:02:41,139", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-05-28 22:02:41,155", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-05-28 22:02:41,155", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-05-28 22:02:41,171", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-05-28 22:02:41,171", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-05-28 22:02:41,186", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-05-28 22:02:41,186", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-05-28 22:02:41,202", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-05-28 22:02:41,202", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-05-28 22:02:41,218", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-05-28 22:02:41,218", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-05-28 22:02:41,233", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-05-28 22:02:41,233", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-05-28 22:02:41,249", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-05-28 22:02:41,249", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-05-28 22:02:42,530", "thread_id": "4668", "caller": "0x7ff65e07a06e", "parentcaller": "0x7ff65e066f8c", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "DE25675A-72DE-44B4-9373-05170450C140" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-05-28 22:02:42,530", "thread_id": "4668", "caller": "0x7ff65e07a0c1", "parentcaller": "0x7ff65e066f8c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-05-28 22:02:44,374", "thread_id": "2604", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc780416e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000490" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-05-28 22:02:49,389", "thread_id": "2604", "caller": "0x7ffc5b0d92fb", "parentcaller": "0x7ffc780461f9", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-05-28 22:02:50,921", "thread_id": "4668", "caller": "0x7ff65e05652c", "parentcaller": "0x7ff65e055d54", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 14, "id": 721 }, { "timestamp": "2026-05-28 22:02:50,921", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000490" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSSO.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-05-28 22:02:50,921", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000b34" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x087c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000eb000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-05-28 22:02:50,921", "thread_id": "4668", "caller": "0x7ff65e0623a8", "parentcaller": "0x7ff65e062e19", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x087c0000" }, { "name": "RegionSize", "value": "0x000eb000" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-05-28 22:02:51,014", "thread_id": "5080", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77f2f22b", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00002038" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-05-28 22:02:55,671", "thread_id": "5080", "caller": "0x7ffc5e7ee842", "parentcaller": "0x7ffc780416e9", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002314" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\Bam" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-05-28 22:03:04,405", "thread_id": "4804", "caller": "0x7ffc5b0d92fb", "parentcaller": "0x7ffc780461f9", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-05-28 22:03:04,593", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wscinterop" }, { "name": "DllBase", "value": "0x7ffc601b0000" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wscinterop.dll" }, { "name": "BaseAddress", "value": "0x7ffc601b0000" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\WSCAPI" }, { "name": "DllBase", "value": "0x7ffc6a330000" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "388", "caller": "0x7ffc56f866f1", "parentcaller": "0x7ffc56f824f4", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9DAC2C1E-7C5C-40EB-833B-323E85A1CE84" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "418EE892-56F0-4C3B-9238-696BA0CEF799" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "388", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001b98" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wscui.cpl" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "388", "caller": "0x7ffc756e7906", "parentcaller": "0x7ffc756e5630", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001aec" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02790000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00015000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "388", "caller": "0x7ffc7801bb2a", "parentcaller": "0x7ffc7801b99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001264" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\wscui.cpl.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "388", "caller": "0x7ffc7801bbcc", "parentcaller": "0x7ffc7801b99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00002310" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x027b0000" }, { "name": "SectionOffset", "value": "0x0bc1d080" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-05-28 22:03:04,608", "thread_id": "5224", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00001b98" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-05-28 22:03:04,624", "thread_id": "388", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802f7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002310" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wscui.cpl" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-05-28 22:03:04,624", "thread_id": "388", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001964" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63be0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-05-28 22:03:04,624", "thread_id": "388", "caller": "0x7ffc76044db6", "parentcaller": "0x7ffc76043b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001e50" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wscui.cpl" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-05-28 22:03:04,624", "thread_id": "388", "caller": "0x7ffc78042d4b", "parentcaller": "0x7ffc78042829", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001e50" }, { "name": "DesiredAccess", "value": "0x00100020", "pretty_value": "FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-05-28 22:03:04,624", "thread_id": "388", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802fa80", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00002310" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-05-28 22:03:04,624", "thread_id": "388", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001964" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50d30000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x001a5000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-05-28 22:03:04,624", "thread_id": "388", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\gdiplus" }, { "name": "DllBase", "value": "0x7ffc50d30000" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-05-28 22:03:04,655", "thread_id": "388", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wscui.cpl" }, { "name": "DllBase", "value": "0x7ffc63be0000" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-05-28 22:03:04,686", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\framedynos" }, { "name": "DllBase", "value": "0x7ffc19950000" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-05-28 22:03:04,733", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wer" }, { "name": "DllBase", "value": "0x7ffc732a0000" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-05-28 22:03:04,811", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\werconcpl" }, { "name": "DllBase", "value": "0x7ffc199b0000" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-05-28 22:03:04,843", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\werconcpl.dll" }, { "name": "BaseAddress", "value": "0x7ffc199b0000" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-05-28 22:03:04,843", "thread_id": "388", "caller": "0x7ffc56f866f1", "parentcaller": "0x7ffc56f824f4", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CA236752-2E77-4386-B63B-0E34774A413D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "418EE892-56F0-4C3B-9238-696BA0CEF799" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-05-28 22:03:04,843", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\hcproviders" }, { "name": "DllBase", "value": "0x7ffc5faf0000" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-05-28 22:03:04,874", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\hcproviders.dll" }, { "name": "BaseAddress", "value": "0x7ffc5faf0000" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-05-28 22:03:04,874", "thread_id": "388", "caller": "0x7ffc56f866f1", "parentcaller": "0x7ffc56f824f4", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C8E6F269-B90A-4053-A3BE-499AFCEC98C4" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "418EE892-56F0-4C3B-9238-696BA0CEF799" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-05-28 22:03:04,874", "thread_id": "388", "caller": "0x7ffc7801bb2a", "parentcaller": "0x7ffc7801b99e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001934" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Actioncenter.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-05-28 22:03:04,874", "thread_id": "388", "caller": "0x7ffc7801bbcc", "parentcaller": "0x7ffc7801b99e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000195c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x028b0000" }, { "name": "SectionOffset", "value": "0x0bc1c250" }, { "name": "ViewSize", "value": "0x0000b000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-05-28 22:03:04,874", "thread_id": "3088", "caller": "0x7ffc57422263", "parentcaller": "0x7ffc5742300b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "900C0763-5CAD-4A34-BC1F-40CD513679D5" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "8E282AAE-ACE9-4821-83AD-849C1D08939D" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-05-28 22:03:04,905", "thread_id": "3088", "caller": "0x7ffc5faf1625", "parentcaller": "0x7ffc574222b1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 756 }, { "timestamp": "2026-05-28 22:03:04,936", "thread_id": "3088", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\ieproxy" }, { "name": "DllBase", "value": "0x7ffc19860000" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-05-28 22:03:04,968", "thread_id": "3088", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ieproxy.dll" }, { "name": "BaseAddress", "value": "0x7ffc19860000" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-05-28 22:03:05,061", "thread_id": "388", "caller": "0x7ffc7605607d", "parentcaller": "0x7ffc760451de", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Actioncenter.dll.3.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-05-28 22:03:05,061", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc56f87339", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "Comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-05-28 22:03:05,061", "thread_id": "388", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc56f870af", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "wscapi.dll" }, { "name": "BaseAddress", "value": "0x7ffc6a330000" } ], "repeated": 0, "id": 761 } ], "threads": [ "4884", "5208", "4636", "2840", "2604", "4156", "4640", "6712", "4804", "4668", "6892", "5020", "4628", "3452", "1096", "4928", "4812", "4644", "4844", "4684", "4932", "4920", "10780", "4624", "5080", "388", "5224", "3088" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\Explorer.EXE", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff65e010000", "MainExeSize": "0x00546000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 740, "process_name": "svchost.exe", "parent_id": 592, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2026-05-28 22:01:54,662", "calls": [ { "timestamp": "2026-05-28 22:01:56,584", "thread_id": "1352", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000066c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:01:57,412", "thread_id": "1352", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "1352", "caller": "0x7ffc734e22bd", "parentcaller": "0x7ffc733bce49", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000066c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000ff0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "1352", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:01:59,912", "thread_id": "944", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000f7c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "836", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:02:05,381", "thread_id": "1440", "caller": "0x7ffc756dacfe", "parentcaller": "0x7ffc77679f03", "category": "services", "api": "StartServiceW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ServiceHandle", "value": "0x209c934a0c0" }, { "name": "ServiceName", "value": "MicrosoftEdgeElevationService" }, { "name": "Arguments", "value": [] } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:02:06,568", "thread_id": "1440", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000694" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:02:10,193", "thread_id": "1352", "caller": "0x7ffc733b999a", "parentcaller": "0x7ffc733b975c", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00001120" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000f74" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:02:11,943", "thread_id": "836", "caller": "0x7ffc734d7f97", "parentcaller": "0x7ffc734db4bb", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000670" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00001598" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-05-28 22:02:11,943", "thread_id": "1352", "caller": "0x7ffc734d2c08", "parentcaller": "0x7ffc734e266e", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000159c" }, { "name": "TargetProcessHandle", "value": "0x00001258" }, { "name": "TargetHandle", "value": "0x00000760" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-05-28 22:02:11,943", "thread_id": "1352", "caller": "0x7ffc734d2c42", "parentcaller": "0x7ffc734e266e", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000670" }, { "name": "TargetProcessHandle", "value": "0x00001258" }, { "name": "TargetHandle", "value": "0x00000810" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-05-28 22:02:11,943", "thread_id": "1352", "caller": "0x7ffc734d2c77", "parentcaller": "0x7ffc734e266e", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000694" }, { "name": "TargetProcessHandle", "value": "0x00001258" }, { "name": "TargetHandle", "value": "0x00000884" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-05-28 22:02:16,568", "thread_id": "840", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001590" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-05-28 22:02:26,568", "thread_id": "836", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000151c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-05-28 22:02:36,568", "thread_id": "840", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000760" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-05-28 22:02:38,006", "thread_id": "840", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rsaenh.dll" }, { "name": "BaseAddress", "value": "0x7ffc746b0000" } ], "repeated": 1, "id": 16 }, { "timestamp": "2026-05-28 22:02:40,412", "thread_id": "1352", "caller": "0x7ffc734d7f97", "parentcaller": "0x7ffc734db4bb", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000001c4" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000670" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-05-28 22:02:40,412", "thread_id": "1240", "caller": "0x7ffc734d2c08", "parentcaller": "0x7ffc734e266e", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000760" }, { "name": "TargetProcessHandle", "value": "0x00001258" }, { "name": "TargetHandle", "value": "0x00000880" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-05-28 22:02:40,412", "thread_id": "1240", "caller": "0x7ffc734d2c42", "parentcaller": "0x7ffc734e266e", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000151c" }, { "name": "TargetProcessHandle", "value": "0x00001258" }, { "name": "TargetHandle", "value": "0x00000884" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-05-28 22:02:40,412", "thread_id": "1240", "caller": "0x7ffc734d2c77", "parentcaller": "0x7ffc734e266e", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x0000101c" }, { "name": "TargetProcessHandle", "value": "0x00001258" }, { "name": "TargetHandle", "value": "0x00000810" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-05-28 22:02:41,115", "thread_id": "840", "caller": "0x7ffc756dacfe", "parentcaller": "0x7ffc77679f03", "category": "services", "api": "StartServiceW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ServiceHandle", "value": "0x209c9268740" }, { "name": "ServiceName", "value": "MicrosoftEdgeElevationService" }, { "name": "Arguments", "value": [] } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-05-28 22:02:46,584", "thread_id": "1440", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000fe8" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-05-28 22:02:56,568", "thread_id": "840", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000014f0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PhysicalDrive0" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "1240", "caller": "0x7ffc734e22bd", "parentcaller": "0x7ffc733bce49", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00001568" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00001554" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-05-28 22:02:59,990", "thread_id": "1240", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc73671c70", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000ee8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000a80" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-05-28 22:02:59,990", "thread_id": "1240", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc757089f3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "ThreadHandle", "value": "0x00000a88" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\DllHost.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "140720308495860" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-05-28 22:03:00,006", "thread_id": "840", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001500" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-05-28 22:03:00,006", "thread_id": "840", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000013fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x209ca900000" }, { "name": "SectionOffset", "value": "0x754c3fdb30" }, { "name": "ViewSize", "value": "0x0007a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-05-28 22:03:00,006", "thread_id": "840", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc757089f3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000013fc" }, { "name": "ThreadHandle", "value": "0x00001520" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe" }, { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "140720308495960" } ], "repeated": 0, "id": 29 } ], "threads": [ "1352", "944", "836", "1440", "840", "1240" ], "environ": { "UserName": "SYSTEM", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff780360000", "MainExeSize": "0x00010000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 7912, "process_name": "Taskmgr.exe", "parent_id": 4584, "module_path": "C:\\Windows\\System32\\Taskmgr.exe", "first_seen": "2026-05-28 22:01:56,943", "calls": [ { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc780320a5", "parentcaller": "0x7ffc77fefaf7", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1496" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "UMPDC.dll" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\umpdc.dll" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802f7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000224" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\umpdc.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802f7b0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000220" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000224" }, { "name": "FileName", "value": "C:\\Windows\\System32\\umpdc.dll" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000220" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75440000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75450000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7544a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7544a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7544a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7544a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7544a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000224" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7544a000" }, { "name": "ModuleName", "value": "UMPDC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-05-28 22:01:57,053", "thread_id": "1496", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffc75440000" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-05-28 22:01:57,068", "thread_id": "1496", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\umpdc" }, { "name": "BaseAddress", "value": "0x7ffc75440000" }, { "name": "InitRoutine", "value": "0x7ffc75443e30" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-05-28 22:01:57,068", "thread_id": "1496", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75480000" }, { "name": "ModuleName", "value": "powrprof.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-05-28 22:01:57,068", "thread_id": "1496", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75480000" }, { "name": "ModuleName", "value": "powrprof.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-05-28 22:01:57,068", "thread_id": "1496", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\powrprof" }, { "name": "BaseAddress", "value": "0x7ffc75460000" }, { "name": "InitRoutine", "value": "0x7ffc75463480" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-05-28 22:01:57,068", "thread_id": "1496", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\nsi" }, { "name": "BaseAddress", "value": "0x7ffc771d0000" }, { "name": "InitRoutine", "value": "0x7ffc771d22f0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc760442c4", "parentcaller": "0x7ffc76043b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000220" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc76044459", "parentcaller": "0x7ffc76043b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000021c" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000220" }, { "name": "FileName", "value": "C:\\Windows\\WindowsShell.Manifest" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc760444a6", "parentcaller": "0x7ffc76043b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000021c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250ee0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc7603e7a0", "parentcaller": "0x7ffc76045084", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000218" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc7603e7f0", "parentcaller": "0x7ffc76045084", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000218" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc7603e818", "parentcaller": "0x7ffc76045084", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc76056103", "parentcaller": "0x7ffc760451de", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000220" }, { "name": "HandleName", "value": "C:\\Windows\\WindowsShell.Manifest" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc76044f83", "parentcaller": "0x7ffc7604468c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc76044f8a", "parentcaller": "0x7ffc7604468c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc7604468c", "parentcaller": "0x7ffc76043b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250ee0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc76042a0e", "parentcaller": "0x7ffc61e63a53", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "ThemePropScrollBarCtl" }, { "name": "Atom", "value": "0x0000c01b" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc76042a0e", "parentcaller": "0x7ffc61e63a6d", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "MicrosoftTabletPenServiceProperty" }, { "name": "Atom", "value": "0x0000c01c" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc61e63bac", "parentcaller": "0x7ffc61e63add", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001022" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc61e63aeb", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "LPK" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc61e63b03", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "GDI32" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc61e63b1e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "LpkEditControl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ef5740" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc61e63b1e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\\comctl32" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" }, { "name": "InitRoutine", "value": "0x7ffc61e99e70" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc730a3254", "parentcaller": "0x7ffc730c9919", "category": "misc", "api": "HeapCreate", "status": true, "return": "0x29251490000", "arguments": [ { "name": "Options", "value": "0" }, { "name": "InitialSize", "value": "0x00000000" }, { "name": "MaximumSize", "value": "0x00000000" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc730a3254", "parentcaller": "0x7ffc730c9919", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\uxtheme" }, { "name": "BaseAddress", "value": "0x7ffc730a0000" }, { "name": "InitRoutine", "value": "0x7ffc730c8c70" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\credui" }, { "name": "BaseAddress", "value": "0x7ffc6b990000" }, { "name": "InitRoutine", "value": "0x7ffc6b9916c0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc6aaa613c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "advapi32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aaa617d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventWrite" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7801f1b0" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aaa619f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventRegister" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012e80" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aaa61c1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventUnregister" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78020390" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6aa9ae98", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6aa9ae98", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77fd0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9aeb6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlUnhandledExceptionFilter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806c900" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9aecc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlIsThreadWithinLoaderCallout" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804d9d0" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6aa9aeeb", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32.dll" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6aa9aeeb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc762a0000", "arguments": [ { "name": "lpLibFileName", "value": "user32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9af0d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetPointerTouchInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762f0870" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9af2a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetPointerInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762f0710" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9af47", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetPointerDevice" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d4150" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9af64", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetPointerFrameInfoHistory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762f05b0" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9af81", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetPointerDeviceRects" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d41a0" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9af9e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "EvaluateProximityToRect" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76320120" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9afbb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "LogicalToPhysicalPoint" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d4630" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9afd8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "PhysicalToLogicalPoint" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d46f0" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9aff5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "PackTouchHitTestingProximityEvaluation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76320260" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9b012", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "RegisterTouchHitTestingWindow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d4990" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6aa9b02d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2560" }, { "name": "FunctionAddress", "value": "0x7ffc762f0410" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e21e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e21f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e220000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\duser" }, { "name": "BaseAddress", "value": "0x7ffc6aa90000" }, { "name": "InitRoutine", "value": "0x7ffc6aaa5220" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc60237627", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "advapi32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc60237668", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventWrite" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7801f1b0" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6023768a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventRegister" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012e80" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc602376ac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventUnregister" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78020390" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-05-28 22:01:57,115", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc602376ac", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\dui70" }, { "name": "BaseAddress", "value": "0x7ffc601f0000" }, { "name": "InitRoutine", "value": "0x7ffc60235270" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc5e777f69", "parentcaller": "0x7ffc5e77349f", "category": "misc", "api": "GetComputerNameExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ComputerName", "value": "JOHNS-PC" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc5e777f69", "parentcaller": "0x7ffc5e77349f", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\pdh" }, { "name": "BaseAddress", "value": "0x7ffc5e770000" }, { "name": "InitRoutine", "value": "0x7ffc5e773550" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc6e392179", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e3921ac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78039f40" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e3921c0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75723890" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e3921d4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "WakeAllConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78025430" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e3a8000" }, { "name": "ModuleName", "value": "dxcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e3a8000" }, { "name": "ModuleName", "value": "dxcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\DXCore" }, { "name": "BaseAddress", "value": "0x7ffc6e370000" }, { "name": "InitRoutine", "value": "0x7ffc6e391a40" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc73f7a334", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc73f7a334", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77ed0000", "arguments": [ { "name": "lpLibFileName", "value": "gdi32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703f3b", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d85c018" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703f7a", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7813c4e0" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\x90%\\x1fN\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2580" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0#\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b\\xc2\\xf6\\x7f\\x00\\x00\\xf0\\x00\\x8e\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf8!\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00 \"\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x00\\x00\\xff\\xff\\xff\\xff\\x80Q\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc2\\x13x\\xfc\\x7f\\x00\\x00u\\x00|V\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f23f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10+\\x1fN\\x92\\x02\\x00\\x00\\x80%\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x00\\x90%\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfdw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x1f\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\xf0\"\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb0\\xd9\\x0fx\\xfc\\x7f\\x00\\x00\\xc4\\xa2\\x00\\x00\\xff\\xff\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00o\\xaad\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2b10" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " 1\\x1fN\\x92\\x02\\x00\\x00\\xf0#\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x03v\\xfc\\x7f\\x00\\x00\\xe0s\\x04v\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0b\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0,\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8,\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x0c\\x00\\xff\\xff\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00'\\xda\\xc9\\x9e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f3120" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0M\\x1fN\\x92\\x02\\x00\\x00\\x10+\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x10$\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00ku\\xfc\\x7f\\x00\\x00\\xb0glu\\xfc\\x7f\\x00\\x00\\x00`/\\x00\\x00\\x00\\x00\\x00D\\x00F\\x00\\x00\\x00\\x00\\x00\\xb02\\x1fN\\x92\\x02\\x00\\x00\\x1c\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd82\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x08\\x00\\xff\\xff\\xff\\xff\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x12\\x8f\\x0f\\xd8\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f4d30" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10Q\\x1fN\\x92\\x02\\x00\\x00 1\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa8u\\xfc\\x7f\\x00\\x00\\xb0\\xfa\\xacu\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x15\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00`N\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x88N\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0Y\\x1fN\\x92\\x02\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00Yo\\xd4\\xce\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5110" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0T\\x1fN\\x92\\x02\\x00\\x000M\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xd0u\\xfc\\x7f\\x00\\x00\\x10a\\xd1u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0R\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8R\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xb0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xf0%\\x1fN\\x92\\x02\\x00\\x00\\x89]\\xcf\\x81\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f54d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\x10Q\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf2w\\xfc\\x7f\\x00\\x00\\x00C\\xf3w\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x06\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00`V\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x88V\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xa0\\xe5\\x1fN\\x92\\x02\\x00\\x00 \\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xbc1\rz\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f58c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xd0T\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\nw\\xfc\\x7f\\x00\\x00\\x80\\xe1\\x0fw\\xfc\\x7f\\x00\\x00\\x00`\\x12\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00PZ\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00xZ\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xa0M\\x1fN\\x92\\x02\\x00\\x00\\x0f\\xf4P\\xa2\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5ca0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00*v\\xfc\\x7f\\x00\\x00`\\x7f+v\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x19\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x000^\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00X^\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xc1\\x13x\\xfc\\x7f\\x00\\x00@\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x19t\\xe4\\x12\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f60e0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0c\\x1fN\\x92\\x02\\x00\\x00\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa5u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00pb\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x98b\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00@\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x13\\x02\\xcd\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f63d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xc0\\\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xedw\\xfc\\x7f\\x00\\x00`I\\xedw\\xfc\\x7f\\x00\\x00\\x00\\xc0\\x02\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00`e\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x88e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00P\\xc1\\x13x\\xfc\\x7f\\x00\\x00P\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xb5\\xf0\\x86p\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f8b80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\xd0c\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xbeu\\xfc\\x7f\\x00\\x00\\x90\\x17\\xc1u\\xfc\\x7f\\x00\\x00\\x00\\xa0\\x11\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\x10\\x8d\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x008\\x8d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00Pa\\x1fN\\x92\\x02\\x00\\x00<\\xa0\\x89\\xf1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f9010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x9bu\\xfc\\x7f\\x00\\x00\\x90S\\x9cu\\xfc\\x7f\\x00\\x00\\x00\\xd0\t\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\xd0\\xa4\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf8\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00P\\xbf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xcf\\%9\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fabd0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x00\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1ew\\xfc\\x7f\\x00\\x00`X\\x1fw\\xfc\\x7f\\x00\\x00\\x00\\xf0\n\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xb0\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xd8\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x10\\xc4\\x1fN\\x92\\x02\\x00\\x00\\x00\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xef\\x1f\\x17#\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1faf00" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00)w\\xfc\\x7f\\x00\\x00Px)w\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\x00\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00(\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x00\\xfb\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x04\\x0e\\xf6\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb200" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xaf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00fw\\xfc\\x7f\\x00\\x00p\\xcegw\\xfc\\x7f\\x00\\x00\\x00\\xc0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00P\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00x\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xb0\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x9a\\xb6\\xfa\\x9d\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fba20" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00sv\\xfc\\x7f\\x00\\x00\\x80\\x12\\x84v\\xfc\\x7f\\x00\\x00\\x00Pt\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00@\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00h\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc1\\x13x\\xfc\\x7f\\x00\\x00CA\\xda\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbb50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00 \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf6v\\xfc\\x7f\\x00\\x00\\xb0e\\xf8v\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x12\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\x90\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb8\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xfc\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xb5}]\\xc1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb8f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xb7w\\xfc\\x7f\\x00\\x00\\xf0I\\xc6w\\xfc\\x7f\\x00\\x00\\x00@5\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00 \\xa0\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00H\\xa0\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xc0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\xc1\\x13x\\xfc\\x7f\\x00\\x00=}>a\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb690" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\x003w\\xfc\\x7f\\x00\\x00P\\xe74w\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0c\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xe9\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xf1\\xdf.\\xd4\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbee0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00mv\\xfc\\x7f\\x00\\x00\\xa0\\xa7mv\\xfc\\x7f\\x00\\x00\\x00P\\x05\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x18\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00S\\xbe\\xd5!\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbdb0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xe2\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0u\\xfc\\x7f\\x00\\x00\\xf0\\x90\\xe0u\\xfc\\x7f\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\xe0\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x08\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00`\\xc1\\x13x\\xfc\\x7f\\x00\\x00`\\xc1\\x13x\\xfc\\x7f\\x00\\x00C\\xb9#\\x97\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1dw\\xfc\\x7f\\x00\\x00\\xf0\"\\x1dw\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x00\\x00\\x00\\x00\\xa0\\xdb\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\xc8\\xdb\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xe0\\xc2\\x13x\\xfc\\x7f\\x00\\x00@\\xe2\\xe3o\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fed80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc2\\x1fN\\x92\\x02\\x00\\x00P\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00pw\\xfc\\x7f\\x00\\x00\\xa04rw\\xfc\\x7f\\x00\\x00\\x00\\xe0F\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x000\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00X\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00p\\xc2\\x13x\\xfc\\x7f\\x00\\x00p\\xc2\\x13x\\xfc\\x7f\\x00\\x00\"%\\x88W\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff830" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x90\\xf3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf5u\\xfc\\x7f\\x00\\x00P7\\xf6u\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00`\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x88\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc1\\x13x\\xfc\\x7f\\x00\\x00]\\x81\\xde\\x1e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc270" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xf8\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00Fu\\xfc\\x7f\\x00\\x00\\x804Fu\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\x9d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xd0\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x08\\x95\\x19\\x06\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc140" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x000\\xc0\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0a\\xfc\\x7f\\x00\\x00p\\x9e\\xe9a\\xfc\\x7f\\x00\\x00\\x00\\xa0)\\x00\\x00\\x00\\x00\\x00\\xf8\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\xb0' N\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x90( N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x10\\x06\\x00\\xff\\xff0\\xc2\\x13x\\xfc\\x7f\\x00\\x00p\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xed\\xb6\\x1eK\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc3a0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xb5\\x1fN\\x92\\x02\\x00\\x00@\\xc1\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\ns\\xfc\\x7f\\x00\\x00p\\x8c\\x0cs\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x92\\x02\\x00\\x00\\xd0\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\xf8\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\x00\\xc3\\x13x\\xfc\\x7f\\x00\\x00@\\xac\\x1fN\\x92\\x02\\x00\\x006\\x88\\x10\\x16\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb560" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x99k\\xfc\\x7f\\x00\\x00\\xc0\\x16\\x99k\\xfc\\x7f\\x00\\x00\\x00\\x90\\x01\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00\\x10\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x008\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xc0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x1e\\xc3a\\x08\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb7c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xf2\\x1fN\\x92\\x02\\x00\\x00`\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa9j\\xfc\\x7f\\x00\\x00 R\\xaaj\\xfc\\x7f\\x00\\x00\\x00P\t\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xf0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x9e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x80\\xf1\\x1fN\\x92\\x02\\x00\\x00\\x90\\xba\\x1fN\\x92\\x02\\x00\\x00}\\x0bF\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff240" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1f`\\xfc\\x7f\\x00\\x00pR#`\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x1a\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xb0< N\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xd8< N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xb0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xb0\\xc1\\x13x\\xfc\\x7f\\x00\\x00n\\xea\\xab\\xed\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fff50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xf9\\x1fN\\x92\\x02\\x00\\x00@\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xf9\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xf9\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00w^\\xfc\\x7f\\x00\\x00P5w^\\xfc\\x7f\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x92\\x02\\x00\\x00\\xf0N N\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x18O N\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xf3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc1\\x13x\\xfc\\x7f\\x00\\x00v\\x0cU\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff960" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xef\\x1fN\\x92\\x02\\x00\\x00P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xef\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\xf0\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\x007n\\xfc\\x7f\\x00\\x00@\\x1a9n\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x03\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00@9 N\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00h9 N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xd0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x82\\xd7\\x1f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fefe0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x90\\xfa\\x1fN\\x92\\x02\\x00\\x00`\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xfa\\x1fN\\x92\\x02\\x00\\x00p\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xf9\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf7s\\xfc\\x7f\\x00\\x00\\xc0d\\xf9s\\xfc\\x7f\\x00\\x00\\x000\\x0f\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x92\\x02\\x00\\x00\\x10A N\\x92\\x02\\x00\\x00\\x10\\x00\\x12\\x00\\x00\\x00\\x00\\x008A N\\x92\\x02\\x00\\x00\\xec\\xa2\\x00\\x00\\x06\\x00\\x00\\x00@\\xf6\\x1fN\\x92\\x02\\x00\\x00\\x00\\xc2\\x13x\\xfc\\x7f\\x00\\x00k;\\xec\\xee\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc76042a0e", "parentcaller": "0x7ffc73f71242", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "D3D9_IdHot_Ctrl_SnapDesktop" }, { "name": "Atom", "value": "0x0000c01a" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e222000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\dxgi" }, { "name": "BaseAddress", "value": "0x7ffc73f70000" }, { "name": "InitRoutine", "value": "0x7ffc73f964c0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703f3b", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d85c018" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703f7a", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7813c4e0" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\x90%\\x1fN\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2580" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0#\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b\\xc2\\xf6\\x7f\\x00\\x00\\xf0\\x00\\x8e\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf8!\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00 \"\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x00\\x00\\xff\\xff\\xff\\xff\\x80Q\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc2\\x13x\\xfc\\x7f\\x00\\x00u\\x00|V\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f23f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10+\\x1fN\\x92\\x02\\x00\\x00\\x80%\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x00\\x90%\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfdw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x1f\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\xf0\"\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb0\\xd9\\x0fx\\xfc\\x7f\\x00\\x00\\xc4\\xa2\\x00\\x00\\xff\\xff\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00o\\xaad\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2b10" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " 1\\x1fN\\x92\\x02\\x00\\x00\\xf0#\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x03v\\xfc\\x7f\\x00\\x00\\xe0s\\x04v\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0b\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0,\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8,\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x0c\\x00\\xff\\xff\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00'\\xda\\xc9\\x9e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f3120" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0M\\x1fN\\x92\\x02\\x00\\x00\\x10+\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x10$\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00ku\\xfc\\x7f\\x00\\x00\\xb0glu\\xfc\\x7f\\x00\\x00\\x00`/\\x00\\x00\\x00\\x00\\x00D\\x00F\\x00\\x00\\x00\\x00\\x00\\xb02\\x1fN\\x92\\x02\\x00\\x00\\x1c\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd82\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x08\\x00\\xff\\xff\\xff\\xff\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x12\\x8f\\x0f\\xd8\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f4d30" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10Q\\x1fN\\x92\\x02\\x00\\x00 1\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa8u\\xfc\\x7f\\x00\\x00\\xb0\\xfa\\xacu\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x15\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00`N\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x88N\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0Y\\x1fN\\x92\\x02\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00Yo\\xd4\\xce\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5110" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0T\\x1fN\\x92\\x02\\x00\\x000M\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xd0u\\xfc\\x7f\\x00\\x00\\x10a\\xd1u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0R\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8R\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xb0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xf0%\\x1fN\\x92\\x02\\x00\\x00\\x89]\\xcf\\x81\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f54d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\x10Q\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf2w\\xfc\\x7f\\x00\\x00\\x00C\\xf3w\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x06\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00`V\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x88V\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xa0\\xe5\\x1fN\\x92\\x02\\x00\\x00 \\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xbc1\rz\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f58c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xd0T\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\nw\\xfc\\x7f\\x00\\x00\\x80\\xe1\\x0fw\\xfc\\x7f\\x00\\x00\\x00`\\x12\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00PZ\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00xZ\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xa0M\\x1fN\\x92\\x02\\x00\\x00\\x0f\\xf4P\\xa2\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5ca0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00*v\\xfc\\x7f\\x00\\x00`\\x7f+v\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x19\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x000^\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00X^\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xc1\\x13x\\xfc\\x7f\\x00\\x00@\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x19t\\xe4\\x12\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f60e0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0c\\x1fN\\x92\\x02\\x00\\x00\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa5u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00pb\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x98b\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00@\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x13\\x02\\xcd\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f63d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xc0\\\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xedw\\xfc\\x7f\\x00\\x00`I\\xedw\\xfc\\x7f\\x00\\x00\\x00\\xc0\\x02\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00`e\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x88e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00P\\xc1\\x13x\\xfc\\x7f\\x00\\x00P\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xb5\\xf0\\x86p\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f8b80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\xd0c\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xbeu\\xfc\\x7f\\x00\\x00\\x90\\x17\\xc1u\\xfc\\x7f\\x00\\x00\\x00\\xa0\\x11\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\x10\\x8d\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x008\\x8d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00Pa\\x1fN\\x92\\x02\\x00\\x00<\\xa0\\x89\\xf1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f9010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x9bu\\xfc\\x7f\\x00\\x00\\x90S\\x9cu\\xfc\\x7f\\x00\\x00\\x00\\xd0\t\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\xd0\\xa4\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf8\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00P\\xbf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xcf\\%9\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fabd0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x00\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1ew\\xfc\\x7f\\x00\\x00`X\\x1fw\\xfc\\x7f\\x00\\x00\\x00\\xf0\n\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xb0\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xd8\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x10\\xc4\\x1fN\\x92\\x02\\x00\\x00\\x00\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xef\\x1f\\x17#\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1faf00" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00)w\\xfc\\x7f\\x00\\x00Px)w\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\x00\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00(\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x00\\xfb\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x04\\x0e\\xf6\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb200" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xaf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00fw\\xfc\\x7f\\x00\\x00p\\xcegw\\xfc\\x7f\\x00\\x00\\x00\\xc0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00P\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00x\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xb0\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x9a\\xb6\\xfa\\x9d\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fba20" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00sv\\xfc\\x7f\\x00\\x00\\x80\\x12\\x84v\\xfc\\x7f\\x00\\x00\\x00Pt\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00@\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00h\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc1\\x13x\\xfc\\x7f\\x00\\x00CA\\xda\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbb50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00 \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf6v\\xfc\\x7f\\x00\\x00\\xb0e\\xf8v\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x12\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\x90\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb8\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xfc\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xb5}]\\xc1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb8f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xb7w\\xfc\\x7f\\x00\\x00\\xf0I\\xc6w\\xfc\\x7f\\x00\\x00\\x00@5\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00 \\xa0\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00H\\xa0\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xc0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\xc1\\x13x\\xfc\\x7f\\x00\\x00=}>a\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb690" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\x003w\\xfc\\x7f\\x00\\x00P\\xe74w\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0c\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xe9\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xf1\\xdf.\\xd4\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbee0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00mv\\xfc\\x7f\\x00\\x00\\xa0\\xa7mv\\xfc\\x7f\\x00\\x00\\x00P\\x05\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x18\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00S\\xbe\\xd5!\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbdb0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xe2\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0u\\xfc\\x7f\\x00\\x00\\xf0\\x90\\xe0u\\xfc\\x7f\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\xe0\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x08\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00`\\xc1\\x13x\\xfc\\x7f\\x00\\x00`\\xc1\\x13x\\xfc\\x7f\\x00\\x00C\\xb9#\\x97\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1dw\\xfc\\x7f\\x00\\x00\\xf0\"\\x1dw\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x00\\x00\\x00\\x00\\xa0\\xdb\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\xc8\\xdb\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xe0\\xc2\\x13x\\xfc\\x7f\\x00\\x00@\\xe2\\xe3o\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fed80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc2\\x1fN\\x92\\x02\\x00\\x00P\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00pw\\xfc\\x7f\\x00\\x00\\xa04rw\\xfc\\x7f\\x00\\x00\\x00\\xe0F\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x000\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00X\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00p\\xc2\\x13x\\xfc\\x7f\\x00\\x00p\\xc2\\x13x\\xfc\\x7f\\x00\\x00\"%\\x88W\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff830" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x90\\xf3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf5u\\xfc\\x7f\\x00\\x00P7\\xf6u\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00`\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x88\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc1\\x13x\\xfc\\x7f\\x00\\x00]\\x81\\xde\\x1e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc270" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xf8\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00Fu\\xfc\\x7f\\x00\\x00\\x804Fu\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\x9d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xd0\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x08\\x95\\x19\\x06\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc140" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x000\\xc0\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0a\\xfc\\x7f\\x00\\x00p\\x9e\\xe9a\\xfc\\x7f\\x00\\x00\\x00\\xa0)\\x00\\x00\\x00\\x00\\x00\\xf8\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\xb0' N\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x90( N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x10\\x06\\x00\\xff\\xff0\\xc2\\x13x\\xfc\\x7f\\x00\\x00p\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xed\\xb6\\x1eK\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc3a0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xb5\\x1fN\\x92\\x02\\x00\\x00@\\xc1\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\ns\\xfc\\x7f\\x00\\x00p\\x8c\\x0cs\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x92\\x02\\x00\\x00\\xd0\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\xf8\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\x00\\xc3\\x13x\\xfc\\x7f\\x00\\x00@\\xac\\x1fN\\x92\\x02\\x00\\x006\\x88\\x10\\x16\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb560" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x99k\\xfc\\x7f\\x00\\x00\\xc0\\x16\\x99k\\xfc\\x7f\\x00\\x00\\x00\\x90\\x01\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00\\x10\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x008\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xc0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x1e\\xc3a\\x08\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-05-28 22:01:57,131", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb7c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xf2\\x1fN\\x92\\x02\\x00\\x00`\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa9j\\xfc\\x7f\\x00\\x00 R\\xaaj\\xfc\\x7f\\x00\\x00\\x00P\t\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xf0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x9e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x80\\xf1\\x1fN\\x92\\x02\\x00\\x00\\x90\\xba\\x1fN\\x92\\x02\\x00\\x00}\\x0bF\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff240" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1f`\\xfc\\x7f\\x00\\x00pR#`\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x1a\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xb0< N\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xd8< N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xb0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xb0\\xc1\\x13x\\xfc\\x7f\\x00\\x00n\\xea\\xab\\xed\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fff50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xf9\\x1fN\\x92\\x02\\x00\\x00@\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xf9\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xf9\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00w^\\xfc\\x7f\\x00\\x00P5w^\\xfc\\x7f\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x92\\x02\\x00\\x00\\xf0N N\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x18O N\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xf3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc1\\x13x\\xfc\\x7f\\x00\\x00v\\x0cU\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff960" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xef\\x1fN\\x92\\x02\\x00\\x00P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xef\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\xf0\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\x007n\\xfc\\x7f\\x00\\x00@\\x1a9n\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x03\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00@9 N\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00h9 N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xd0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x82\\xd7\\x1f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fefe0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x90\\xfa\\x1fN\\x92\\x02\\x00\\x00`\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xfa\\x1fN\\x92\\x02\\x00\\x00p\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xfa\\x1fN\\x92\\x02\\x00\\x00\\x80\\xf9\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf7s\\xfc\\x7f\\x00\\x00\\xc0d\\xf9s\\xfc\\x7f\\x00\\x00\\x000\\x0f\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x92\\x02\\x00\\x00\\x10A N\\x92\\x02\\x00\\x00\\x10\\x00\\x12\\x00\\x00\\x00\\x00\\x008A N\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xf6\\x1fN\\x92\\x02\\x00\\x00\\x00\\xc2\\x13x\\xfc\\x7f\\x00\\x00k;\\xec\\xee\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ffa90" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0\\xf5\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xef\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xf5\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xef\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\xf0\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00iq\\xfc\\x7f\\x00\\x00\\xd0\\xc1pq\\xfc\\x7f\\x00\\x00\\x000&\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\xfc\\x7f\\x00\\x00\\xa0B N\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xc8B N\\x92\\x02\\x00\\x00\\xec\\xa2\\x00\\x00\\x06\\x00\\x00\\x00\\xf0\\xc1\\x13x\\xfc\\x7f\\x00\\x00p\\xaf\\x1fN\\x92\\x02\\x00\\x00\\x07\\xae\\xaap\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc772ca553", "parentcaller": "0x7ffc7170c150", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 159 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc772ca553", "parentcaller": "0x7ffc7170c150", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\d3d11" }, { "name": "BaseAddress", "value": "0x7ffc71690000" }, { "name": "InitRoutine", "value": "0x7ffc7170c1d0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ffc734b0000" }, { "name": "InitRoutine", "value": "0x7ffc734b3f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703f3b", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d85c018" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703f7a", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7813c4e0" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\x90%\\x1fN\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2580" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0#\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b\\xc2\\xf6\\x7f\\x00\\x00\\xf0\\x00\\x8e\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf8!\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00 \"\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x00\\x00\\xff\\xff\\xff\\xff\\x80Q\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc2\\x13x\\xfc\\x7f\\x00\\x00u\\x00|V\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f23f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10+\\x1fN\\x92\\x02\\x00\\x00\\x80%\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x00\\x90%\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfdw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x1f\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\xf0\"\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb0\\xd9\\x0fx\\xfc\\x7f\\x00\\x00\\xc4\\xa2\\x00\\x00\\xff\\xff\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00o\\xaad\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2b10" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " 1\\x1fN\\x92\\x02\\x00\\x00\\xf0#\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x03v\\xfc\\x7f\\x00\\x00\\xe0s\\x04v\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0b\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0,\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8,\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x0c\\x00\\xff\\xff\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00'\\xda\\xc9\\x9e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f3120" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0M\\x1fN\\x92\\x02\\x00\\x00\\x10+\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x10$\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00ku\\xfc\\x7f\\x00\\x00\\xb0glu\\xfc\\x7f\\x00\\x00\\x00`/\\x00\\x00\\x00\\x00\\x00D\\x00F\\x00\\x00\\x00\\x00\\x00\\xb02\\x1fN\\x92\\x02\\x00\\x00\\x1c\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd82\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x08\\x00\\xff\\xff\\xff\\xff\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x12\\x8f\\x0f\\xd8\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f4d30" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10Q\\x1fN\\x92\\x02\\x00\\x00 1\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa8u\\xfc\\x7f\\x00\\x00\\xb0\\xfa\\xacu\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x15\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00`N\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x88N\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0Y\\x1fN\\x92\\x02\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00Yo\\xd4\\xce\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5110" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0T\\x1fN\\x92\\x02\\x00\\x000M\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xd0u\\xfc\\x7f\\x00\\x00\\x10a\\xd1u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0R\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8R\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xb0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xf0%\\x1fN\\x92\\x02\\x00\\x00\\x89]\\xcf\\x81\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f54d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\x10Q\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf2w\\xfc\\x7f\\x00\\x00\\x00C\\xf3w\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x06\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00`V\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x88V\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xa0\\xe5\\x1fN\\x92\\x02\\x00\\x00 \\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xbc1\rz\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f58c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xd0T\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\nw\\xfc\\x7f\\x00\\x00\\x80\\xe1\\x0fw\\xfc\\x7f\\x00\\x00\\x00`\\x12\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00PZ\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00xZ\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xa0M\\x1fN\\x92\\x02\\x00\\x00\\x0f\\xf4P\\xa2\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5ca0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00*v\\xfc\\x7f\\x00\\x00`\\x7f+v\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x19\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x000^\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00X^\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xc1\\x13x\\xfc\\x7f\\x00\\x00@\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x19t\\xe4\\x12\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f60e0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0c\\x1fN\\x92\\x02\\x00\\x00\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa5u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00pb\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x98b\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00@\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x13\\x02\\xcd\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f63d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xc0\\\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xedw\\xfc\\x7f\\x00\\x00`I\\xedw\\xfc\\x7f\\x00\\x00\\x00\\xc0\\x02\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00`e\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x88e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00P\\xc1\\x13x\\xfc\\x7f\\x00\\x00P\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xb5\\xf0\\x86p\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f8b80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\xd0c\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xbeu\\xfc\\x7f\\x00\\x00\\x90\\x17\\xc1u\\xfc\\x7f\\x00\\x00\\x00\\xa0\\x11\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\x10\\x8d\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x008\\x8d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00Pa\\x1fN\\x92\\x02\\x00\\x00<\\xa0\\x89\\xf1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f9010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x9bu\\xfc\\x7f\\x00\\x00\\x90S\\x9cu\\xfc\\x7f\\x00\\x00\\x00\\xd0\t\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\xd0\\xa4\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf8\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00P\\xbf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xcf\\%9\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fabd0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x00\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1ew\\xfc\\x7f\\x00\\x00`X\\x1fw\\xfc\\x7f\\x00\\x00\\x00\\xf0\n\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xb0\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xd8\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x10\\xc4\\x1fN\\x92\\x02\\x00\\x00\\x00\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xef\\x1f\\x17#\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1faf00" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00)w\\xfc\\x7f\\x00\\x00Px)w\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\x00\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00(\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x00\\xfb\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x04\\x0e\\xf6\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb200" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xaf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00fw\\xfc\\x7f\\x00\\x00p\\xcegw\\xfc\\x7f\\x00\\x00\\x00\\xc0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00P\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00x\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xb0\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x9a\\xb6\\xfa\\x9d\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fba20" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00sv\\xfc\\x7f\\x00\\x00\\x80\\x12\\x84v\\xfc\\x7f\\x00\\x00\\x00Pt\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00@\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00h\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc1\\x13x\\xfc\\x7f\\x00\\x00CA\\xda\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbb50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00 \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf6v\\xfc\\x7f\\x00\\x00\\xb0e\\xf8v\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x12\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\x90\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb8\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xfc\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xb5}]\\xc1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb8f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xb7w\\xfc\\x7f\\x00\\x00\\xf0I\\xc6w\\xfc\\x7f\\x00\\x00\\x00@5\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00 \\xa0\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00H\\xa0\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xc0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\xc1\\x13x\\xfc\\x7f\\x00\\x00=}>a\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb690" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\x003w\\xfc\\x7f\\x00\\x00P\\xe74w\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0c\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xe9\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xf1\\xdf.\\xd4\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbee0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00mv\\xfc\\x7f\\x00\\x00\\xa0\\xa7mv\\xfc\\x7f\\x00\\x00\\x00P\\x05\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x18\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00S\\xbe\\xd5!\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbdb0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xe2\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0u\\xfc\\x7f\\x00\\x00\\xf0\\x90\\xe0u\\xfc\\x7f\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\xe0\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x08\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00`\\xc1\\x13x\\xfc\\x7f\\x00\\x00`\\xc1\\x13x\\xfc\\x7f\\x00\\x00C\\xb9#\\x97\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1dw\\xfc\\x7f\\x00\\x00\\xf0\"\\x1dw\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x00\\x00\\x00\\x00\\xa0\\xdb\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\xc8\\xdb\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xe0\\xc2\\x13x\\xfc\\x7f\\x00\\x00@\\xe2\\xe3o\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fed80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc2\\x1fN\\x92\\x02\\x00\\x00P\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00pw\\xfc\\x7f\\x00\\x00\\xa04rw\\xfc\\x7f\\x00\\x00\\x00\\xe0F\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x000\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00X\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00p\\xc2\\x13x\\xfc\\x7f\\x00\\x00p\\xc2\\x13x\\xfc\\x7f\\x00\\x00\"%\\x88W\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff830" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x90\\xf3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf5u\\xfc\\x7f\\x00\\x00P7\\xf6u\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00`\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x88\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc1\\x13x\\xfc\\x7f\\x00\\x00]\\x81\\xde\\x1e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc270" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xf8\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00Fu\\xfc\\x7f\\x00\\x00\\x804Fu\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\x9d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xd0\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x08\\x95\\x19\\x06\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc140" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x000\\xc0\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0a\\xfc\\x7f\\x00\\x00p\\x9e\\xe9a\\xfc\\x7f\\x00\\x00\\x00\\xa0)\\x00\\x00\\x00\\x00\\x00\\xf8\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\xb0' N\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x90( N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x10\\x06\\x00\\xff\\xff0\\xc2\\x13x\\xfc\\x7f\\x00\\x00p\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xed\\xb6\\x1eK\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc3a0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xb5\\x1fN\\x92\\x02\\x00\\x00@\\xc1\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\ns\\xfc\\x7f\\x00\\x00p\\x8c\\x0cs\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x92\\x02\\x00\\x00\\xd0\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\xf8\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\x00\\xc3\\x13x\\xfc\\x7f\\x00\\x00@\\xac\\x1fN\\x92\\x02\\x00\\x006\\x88\\x10\\x16\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb560" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x99k\\xfc\\x7f\\x00\\x00\\xc0\\x16\\x99k\\xfc\\x7f\\x00\\x00\\x00\\x90\\x01\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00\\x10\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x008\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xc0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x1e\\xc3a\\x08\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb7c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xf2\\x1fN\\x92\\x02\\x00\\x00`\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa9j\\xfc\\x7f\\x00\\x00 R\\xaaj\\xfc\\x7f\\x00\\x00\\x00P\t\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xf0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x9e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x80\\xf1\\x1fN\\x92\\x02\\x00\\x00\\x90\\xba\\x1fN\\x92\\x02\\x00\\x00}\\x0bF\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff240" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1f`\\xfc\\x7f\\x00\\x00pR#`\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x1a\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xb0< N\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xd8< N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xb0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xb0\\xc1\\x13x\\xfc\\x7f\\x00\\x00n\\xea\\xab\\xed\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fff50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xf9\\x1fN\\x92\\x02\\x00\\x00@\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xf9\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xf9\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00w^\\xfc\\x7f\\x00\\x00P5w^\\xfc\\x7f\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x92\\x02\\x00\\x00\\xf0N N\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x18O N\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xf3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc1\\x13x\\xfc\\x7f\\x00\\x00v\\x0cU\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff960" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xef\\x1fN\\x92\\x02\\x00\\x00P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xef\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\xf0\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\x007n\\xfc\\x7f\\x00\\x00@\\x1a9n\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x03\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00@9 N\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00h9 N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\xd0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x82\\xd7\\x1f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fefe0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x90\\xfa\\x1fN\\x92\\x02\\x00\\x00`\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xfa\\x1fN\\x92\\x02\\x00\\x00p\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xfa\\x1fN\\x92\\x02\\x00\\x00\\x80\\xf9\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf7s\\xfc\\x7f\\x00\\x00\\xc0d\\xf9s\\xfc\\x7f\\x00\\x00\\x000\\x0f\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x92\\x02\\x00\\x00\\x10A N\\x92\\x02\\x00\\x00\\x10\\x00\\x12\\x00\\x00\\x00\\x00\\x008A N\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@\\xf6\\x1fN\\x92\\x02\\x00\\x00\\x00\\xc2\\x13x\\xfc\\x7f\\x00\\x00k;\\xec\\xee\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ffa90" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0\\xf5\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xef\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xf5\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xef\\x1fN\\x92\\x02\\x00\\x000\\xf1\\x1fN\\x92\\x02\\x00\\x00\\x00\\xf0\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00iq\\xfc\\x7f\\x00\\x00\\xd0\\xc1pq\\xfc\\x7f\\x00\\x00\\x000&\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\xfc\\x7f\\x00\\x00\\xa0B N\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xc8B N\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xf0\\xc1\\x13x\\xfc\\x7f\\x00\\x00p\\xaf\\x1fN\\x92\\x02\\x00\\x00\\x07\\xae\\xaap\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc75703fbc", "parentcaller": "0x7ffc75703c79", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff5d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "p\\xf3\\x1fN\\x92\\x02\\x00\\x00\\x90\\xfa\\x1fN\\x92\\x02\\x00\\x00\\x80\\xf3\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xfa\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc4\\x13x\\xfc\\x7f\\x00\\x000\\xf1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x96k\\xfc\\x7f\\x00\\x000{\\x96k\\xfc\\x7f\\x00\\x00\\x00`\\x02\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\xfc\\x7f\\x00\\x00\\x00= N\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00(= N\\x92\\x02\\x00\\x00\\xec\\xa2\\x00\\x00\\x06\\x00\\xff\\xff\\x00\\xc2\\x13x\\xfc\\x7f\\x00\\x00P\\xf0\\x1fN\\x92\\x02\\x00\\x00\\xe0\\x01\\xa9T\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc6b962b64", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b96291e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b962a4d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b962ac5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b9628ca", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b962703", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b962867", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756ded78", "parentcaller": "0x7ffc6b964b66", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000264" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6b965002", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6b964eb9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 209 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6b964eb9", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6b964eb9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 211 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6b964eb9", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b9671bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b9671bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756ddd5d", "parentcaller": "0x7ffc6b967213", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b9671bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b966141", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "FunctionName", "value": "D3D12SDKVersion" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b966141", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\D3D12" }, { "name": "BaseAddress", "value": "0x7ffc6b960000" }, { "name": "InitRoutine", "value": "0x7ffc6b967b30" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 219 }, { "timestamp": "2026-05-28 22:01:57,146", "thread_id": "1496", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28e00f0" }, { "name": "Parameter", "value": "0xf09d85c000" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28dff02", "parentcaller": "0x7ff6c28dffcb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e225000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28e2fb9", "parentcaller": "0x7ff6c28dffcb", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28e2fec", "parentcaller": "0x7ff6c28dffcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78039f40" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28e3000", "parentcaller": "0x7ff6c28dffcb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75723890" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28dff59", "parentcaller": "0x7ff6c28dffec", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff6c28e0730" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "4708", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 226 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "4708", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1ed0" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6676", "parentcaller": "0x7ff6c28d500e", "category": "device", "api": "NtPowerInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "InformationLevel", "value": "46" }, { "name": "InputBuffer", "value": "\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00f\\x0e\\x00\\x00f\\x0e\\x00\\x00f\\x0e\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00f\\x0e\\x00\\x00f\\x0e\\x00\\x00f\\x0e\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28db7c8", "parentcaller": "0x7ff6c28db4ed", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28db4fe", "parentcaller": "0x7ff6c28db56a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "3956", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e226000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28db782", "parentcaller": "0x7ff6c28db60d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28db6b2", "parentcaller": "0x7ff6c28db641", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28db2f3", "parentcaller": "0x7ff6c28daf08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d8539", "parentcaller": "0x7ff6c28b8c3e", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000274" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d8df4", "parentcaller": "0x7ff6c28d8568", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "3956", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 237 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "3956", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1a00" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d8d39", "parentcaller": "0x7ff6c28d8b03", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 239 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d8d39", "parentcaller": "0x7ff6c28d8b03", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d8d39", "parentcaller": "0x7ff6c28d8bba", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 241 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d8d39", "parentcaller": "0x7ff6c28d8bba", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28df03f", "parentcaller": "0x7ff6c28d8bcc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28df03f", "parentcaller": "0x7ff6c28d8c07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28df2e3", "parentcaller": "0x7ff6c28d85b8", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "3940", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 246 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "3940", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1e10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28df03f", "parentcaller": "0x7ff6c28d85c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "4592", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 252 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "4592", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb2030" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf8v\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x00u8\\xfc\\x7f\\x00\\x00h\\xf9v\\x9d\\xf0\\x00\\x00\\x00`\\x11\\xb73\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xcc\\xdd3\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000278" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000278" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000278" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000027c" }, { "name": "ValueName", "value": "StartUpTab" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5021", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28f80d2", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "85" }, { "name": "ProcessInformation", "value": "\\xd0\\xc3\\x98\\xc2\\xf6\\x7f\\x00\\x00\\xf2QA\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d70fd", "parentcaller": "0x7ff6c28d6cdd", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 263 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d70fd", "parentcaller": "0x7ff6c28d6cdd", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000278" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d70fd", "parentcaller": "0x7ff6c28d6cdd", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000278" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d29", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d29", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d29", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2924e229010", "arguments": [ { "name": "CommandLine", "value": "/4" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d7009", "parentcaller": "0x7ff6c28d6d4b", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" }, { "name": "MutexName", "value": "Local\\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b" }, { "name": "InitialOwner", "value": "1" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d71", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f00000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d71", "parentcaller": "0x7ff6c28e0076", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d95", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "Comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d95", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "Comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d95", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d95", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-05-28 22:01:57,162", "thread_id": "1496", "caller": "0x7ff6c28d6d95", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "LoadIconWithScaleDown" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e8de70" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6d95", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e22b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6d95", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e22e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60389000" }, { "name": "ModuleName", "value": "DUI70.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60389000" }, { "name": "ModuleName", "value": "DUI70.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 283 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\DirectUI\\DynamicScaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI\\DynamicScaling" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60389000" }, { "name": "ModuleName", "value": "DUI70.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60389000" }, { "name": "ModuleName", "value": "DUI70.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\duser.dll" }, { "name": "BaseAddress", "value": "0x7ffc6aa90000" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-05-28 22:01:57,178", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6aa90000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\DUser.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000290" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc772cafb0" }, { "name": "Parameter", "value": "0x2924e1e6950" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "4692" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "msvcrt.dll" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000290", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc772cafb0" }, { "name": "Parameter", "value": "0x2924e1e6950" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "4692" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e230000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 293 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc772cafb0" }, { "name": "Parameter", "value": "0x2924e1e6950" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e232000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc762c2b57", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ffc730a0000" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc762c2b57", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 2, "id": 297 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef9000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef9000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc6aa9a278", "parentcaller": "0x7ffc6aa9a881", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e235000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "4692", "caller": "0x7ffc6aa9a09b", "parentcaller": "0x7ffc6aa9a047", "category": "misc", "api": "SystemParametersInfoA", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001042" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32.dll" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc762a0000", "arguments": [ { "name": "lpLibFileName", "value": "user32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "RegisterMessagePumpHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762cbd70" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e237000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 3, "id": 307 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e23a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoA", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001042" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6db3", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\DirectUI" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0c13", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0c13", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0xf000000040" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002b8" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c4" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c0" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c0" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c4" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002c4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000002c4" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x9f2\\xcc<\\xc79\\xd7\\x898\\xdb\\xb0Q\\xf2ST&D\\xb0>\\xc9\\x07.(aY\\xca\\xf9o.\\xe2\\xae'\\x99\\xbc\\xf4\\xe7\\xbdC\\xcc)\\x80'\\xe3\\xdfv\\x96\\x8e\\xa1" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" }, { "name": "InitRoutine", "value": "0x7ffc75fd8b60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e23d000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6dd4", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6e14", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffc765f0000" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6e14", "parentcaller": "0x7ff6c28e0076", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b617e", "parentcaller": "0x7ff6c28d6e4f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b617e", "parentcaller": "0x7ff6c28d6e4f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b617e", "parentcaller": "0x7ff6c28d6e4f", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "ValueName", "value": "en-AU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-AU" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b617e", "parentcaller": "0x7ff6c28d6e4f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b617e", "parentcaller": "0x7ff6c28d6e4f", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b617e", "parentcaller": "0x7ff6c28d6e4f", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "ValueName", "value": "en-AU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-AU" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b617e", "parentcaller": "0x7ff6c28d6e4f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b8345", "parentcaller": "0x7ff6c28b6258", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1b0000" }, { "name": "RegionSize", "value": "0x0000f000" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b8345", "parentcaller": "0x7ff6c28b6258", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000cc" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b8345", "parentcaller": "0x7ff6c28b6258", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b8345", "parentcaller": "0x7ff6c28b6258", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000000cc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskmgr.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b8345", "parentcaller": "0x7ff6c28b6258", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000000cc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Taskmgr.exe.mui" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b8345", "parentcaller": "0x7ff6c28b6258", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1b0000" }, { "name": "SectionOffset", "value": "0xf09d76ea90" }, { "name": "ViewSize", "value": "0x0000f000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28b8345", "parentcaller": "0x7ff6c28b6258", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6212", "parentcaller": "0x7ff6c28d6e5b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 363 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6212", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000278" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6212", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000278" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6212", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" }, { "name": "ValueName", "value": "Preferences" }, { "name": "Data", "value": "\r\\x00\\x00\\x00`\\x00\\x00\\x00`\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\xfd\\x01\\x00\\x00\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x80\\xd8\\x01\\x00\\x80\\xdf\\x01\\x00\\x80\\x00\\x01\\x00\\x01\\xc1\\x01\\x00\\x00,\\x01\\x00\\x00i\\x04\\x00\\x00\\x84\\x03\\x00\\x00\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x89\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x00\\x00\\x00\\x01\\x01P\\x02\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8b\\x90\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x10\\x01\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffx\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8c\\x90\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x12\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8d\\x90\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff2\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8a\\x90\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08 \\x01\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xc8\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8e\\x90\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xab\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x04\\x01\\x00\\x00\\x1e\\x00\\x00\\x00\\x8f\\x90\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xab\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffI\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d6212", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d624b", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Handle", "value": "0x000002f4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28f79c0", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "RegDeleteValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" }, { "name": "ValueName", "value": "Preferences" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28f7900", "parentcaller": "0x7ff6c28f79d0", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28f7a86", "parentcaller": "0x7ff6c28d6e5b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 371 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28f7a86", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000278" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28f7a86", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000278" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28f7a86", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" }, { "name": "ValueName", "value": "UseStatusSetting" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\UseStatusSetting" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28f7a86", "parentcaller": "0x7ff6c28d6e5b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-05-28 22:01:57,193", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5071", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Handle", "value": "0x000002f4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5071", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002f4" }, { "name": "ValueName", "value": "StartUpTab" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5071", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d5071", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28c9e90", "parentcaller": "0x7ff6c28d507f", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28db42b", "parentcaller": "0x7ff6c28b8cce", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28db4aa", "parentcaller": "0x7ff6c28b96f1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28b5287", "parentcaller": "0x7ff6c28b510e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28b5287", "parentcaller": "0x7ff6c28b510e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28b5287", "parentcaller": "0x7ff6c28b510e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28b5287", "parentcaller": "0x7ff6c28b510e", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\taskmgr.exe.3.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28b531c", "parentcaller": "0x7ff6c28b510e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "Comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28b531c", "parentcaller": "0x7ff6c28b510e", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "Comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d6bed", "parentcaller": "0x7ff6c28d4a12", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d6bed", "parentcaller": "0x7ff6c28d4a12", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d6bed", "parentcaller": "0x7ff6c28d4a12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d6bed", "parentcaller": "0x7ff6c28d4a12", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d6bed", "parentcaller": "0x7ff6c28d4a12", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002f4" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d6bed", "parentcaller": "0x7ff6c28d4a12", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1768", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#4" }, { "name": "Name", "value": "#30205" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b2620", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1768" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSCTF.dll" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002f4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77400000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00114000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774db000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774db000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\\\x00W\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00S\\x00\\\\x00a\\x00m\\x00\\x02\\x00\\x00\\x004\\x00_\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x00s\\x00o\\x00f\\x00\\x02\\x00\\x00\\x00w\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\x00.\\x00c\\x00o\\x00\\x02\\x00\\x00\\x00o\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x00r\\x00o\\x00l\\x00\\x02\\x00\\x00\\x006\\x005\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x001\\x004\\x004\\x00\\x02\\x00\\x00\\x00f\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\x000\\x00.\\x001\\x00" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x7ffc77400000" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msctf" }, { "name": "BaseAddress", "value": "0x7ffc77400000" }, { "name": "InitRoutine", "value": "0x7ffc77440760" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ad8", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\ThemeSection" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000300" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f50000" }, { "name": "SectionOffset", "value": "0xf09d76e300" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002fc" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Windows\\Theme3891648643" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000304" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\Theme276644042" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f50000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292513a0000" }, { "name": "SectionOffset", "value": "0xf09d76ea20" }, { "name": "ViewSize", "value": "0x000e2000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000304" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f50000" }, { "name": "SectionOffset", "value": "0xf09d76ea20" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000300" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 436 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 438 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030c" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ad8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251492000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f60000" }, { "name": "RegionSize", "value": "0x0000d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f60000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251494000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251495000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-05-28 22:01:57,209", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-05-28 22:01:57,225", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000c09", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000c09" }, { "name": "LanguageName", "value": "English (Australia)" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-05-28 22:01:57,225", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e245000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-05-28 22:01:57,225", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e24a000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-05-28 22:01:57,225", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000308" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "67" }, { "name": "MaxValueNameLength", "value": "27" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e24f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "Lucida Sans Unicode" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lucida Sans Unicode" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "Microsoft Sans Serif" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft Sans Serif" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "2" }, { "name": "ValueName", "value": "Tahoma" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Tahoma" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "3" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "4" }, { "name": "ValueName", "value": "Segoe UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Bold" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "5" }, { "name": "ValueName", "value": "Segoe UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Light" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "6" }, { "name": "ValueName", "value": "Segoe UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semilight" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "7" }, { "name": "ValueName", "value": "Segoe UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Segoe UI Semibold" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "8" }, { "name": "ValueName", "value": "Ebrima" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "9" }, { "name": "ValueName", "value": "Ebrima Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Ebrima Bold" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "10" }, { "name": "ValueName", "value": "Gadugi" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "11" }, { "name": "ValueName", "value": "Gadugi Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gadugi Bold" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "12" }, { "name": "ValueName", "value": "Khmer UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "13" }, { "name": "ValueName", "value": "Khmer UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Khmer UI Bold" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "14" }, { "name": "ValueName", "value": "Lao UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "15" }, { "name": "ValueName", "value": "Lao UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Lao UI Bold" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "16" }, { "name": "ValueName", "value": "Leelawadee" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "17" }, { "name": "ValueName", "value": "Leelawadee Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee Bold" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "18" }, { "name": "ValueName", "value": "Leelawadee UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "19" }, { "name": "ValueName", "value": "Leelawadee UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Leelawadee UI Bold" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "20" }, { "name": "ValueName", "value": "Nirmala UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "21" }, { "name": "ValueName", "value": "Nirmala UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Bold" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "22" }, { "name": "ValueName", "value": "Nirmala UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Nirmala UI Semilight" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "23" }, { "name": "ValueName", "value": "MingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "24" }, { "name": "ValueName", "value": "PMingLiU" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "25" }, { "name": "ValueName", "value": "MingLiU_HKSCS" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "26" }, { "name": "ValueName", "value": "MingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU-ExtB" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "27" }, { "name": "ValueName", "value": "PMingLiU-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\PMingLiU-ExtB" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "28" }, { "name": "ValueName", "value": "MingLiU_HKSCS-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MingLiU_HKSCS-ExtB" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "29" }, { "name": "ValueName", "value": "Microsoft JhengHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "30" }, { "name": "ValueName", "value": "Microsoft JhengHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei Bold" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "31" }, { "name": "ValueName", "value": "Microsoft JhengHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "32" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Bold" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "33" }, { "name": "ValueName", "value": "Microsoft JhengHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft JhengHei UI Light" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "34" }, { "name": "ValueName", "value": "SimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "35" }, { "name": "ValueName", "value": "SimSun-ExtB" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\SimSun-ExtB" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "36" }, { "name": "ValueName", "value": "NSimSun" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\NSimSun" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "37" }, { "name": "ValueName", "value": "Microsoft YaHei" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "38" }, { "name": "ValueName", "value": "Microsoft YaHei Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei Bold" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "39" }, { "name": "ValueName", "value": "Microsoft YaHei UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "40" }, { "name": "ValueName", "value": "Microsoft YaHei UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Bold" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "41" }, { "name": "ValueName", "value": "Microsoft YaHei UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Microsoft YaHei UI Light" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "42" }, { "name": "ValueName", "value": "Yu Gothic UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "43" }, { "name": "ValueName", "value": "Yu Gothic UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Bold" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "44" }, { "name": "ValueName", "value": "Yu Gothic UI Light" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Light" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "45" }, { "name": "ValueName", "value": "Yu Gothic UI Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semilight" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "46" }, { "name": "ValueName", "value": "Yu Gothic UI Semibold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Yu Gothic UI Semibold" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "47" }, { "name": "ValueName", "value": "Meiryo" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "48" }, { "name": "ValueName", "value": "Meiryo Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo Bold" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "49" }, { "name": "ValueName", "value": "Meiryo UI" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "50" }, { "name": "ValueName", "value": "Meiryo UI Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Meiryo UI Bold" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "51" }, { "name": "ValueName", "value": "MS Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Gothic" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "52" }, { "name": "ValueName", "value": "MS PGothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PGothic" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "53" }, { "name": "ValueName", "value": "MS UI Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS UI Gothic" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "54" }, { "name": "ValueName", "value": "MS Mincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS Mincho" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "55" }, { "name": "ValueName", "value": "MS PMincho" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\MS PMincho" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "56" }, { "name": "ValueName", "value": "Batang" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Batang" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "57" }, { "name": "ValueName", "value": "BatangChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\BatangChe" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "58" }, { "name": "ValueName", "value": "Dotum" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Dotum" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "59" }, { "name": "ValueName", "value": "DotumChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\DotumChe" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "60" }, { "name": "ValueName", "value": "Gulim" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gulim" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "61" }, { "name": "ValueName", "value": "GulimChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GulimChe" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "62" }, { "name": "ValueName", "value": "Gungsuh" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Gungsuh" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "63" }, { "name": "ValueName", "value": "GungsuhChe" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\GungsuhChe" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "64" }, { "name": "ValueName", "value": "Malgun Gothic" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "65" }, { "name": "ValueName", "value": "Malgun Gothic Bold" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Bold" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "66" }, { "name": "ValueName", "value": "Malgun Gothic Semilight" }, { "name": "Type", "value": "7", "pretty_value": "REG_MULTI_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\Malgun Gothic Semilight" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumValueW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Index", "value": "67" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "0", "pretty_value": "REG_NONE" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink\\" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e255000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000c09", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000c09" }, { "name": "LanguageName", "value": "English (Australia)" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" }, { "name": "Handle", "value": "0x00000308" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "ValueName", "value": "Disable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "ValueName", "value": "DataFilePath" }, { "name": "Data", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000308" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\staticcache.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000308" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x00\\x00&\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000308" }, { "name": "HandleName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" }, { "name": "Buffer", "value": "\\x1a\\x83W\\xa5\\x02\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00$\\x01\\x00\\x00$)\\x00\\x00\\x00\\x00\\x02\\x00\\xbe\\x02\\x00\\x00<\\x00\\x00\\x00$!\\x00\\x00L)\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00" }, { "name": "Length", "value": "60" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000030c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000308" }, { "name": "FileName", "value": "C:\\Windows\\Fonts\\StaticCache.dat" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000030c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251c90000" }, { "name": "SectionOffset", "value": "0xf09d76c650" }, { "name": "ViewSize", "value": "0x01260000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e25c000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e253000" }, { "name": "RegionSize", "value": "0x0001d000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e253000" }, { "name": "RegionSize", "value": "0x0001d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000310" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 550 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 552 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "TextShaping.dll" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000310" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000314" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000310" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextShaping.dll" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000314" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc66930000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000ac000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6697f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6697f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6697f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6697f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6697f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6697f000" }, { "name": "ModuleName", "value": "TextShaping.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-05-28 22:01:57,240", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\TextShaping" }, { "name": "DllBase", "value": "0x7ffc66930000" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1e7000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\TextShaping" }, { "name": "BaseAddress", "value": "0x7ffc66930000" }, { "name": "InitRoutine", "value": "0x7ffc6697a790" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75ce5000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75ce5000" }, { "name": "ModuleName", "value": "gdi32full.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000314" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane2" }, { "name": "Data", "value": "SimSun-ExtB" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane11" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane12" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane13" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane14" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane15" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryValueExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "ValueName", "value": "Plane16" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000314" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000314" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "4" }, { "name": "MaxSubKeyLength", "value": "13" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "MingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "MingLiU_HKSCS" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\MingLiU_HKSCS" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "PMingLiU" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\PMingLiU" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "SimSun" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\SimSun" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000314" }, { "name": "SubKey", "value": "Segoe UI" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2018", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30651" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f13e08", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2018" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1a98", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#19" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f118b8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1a98" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4e53", "parentcaller": "0x7ff6c28d4ad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4e73", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\taskmgr.exe" }, { "name": "ModuleHandle", "value": "0x7ff6c28b0000" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4e73", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2018", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30651" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4e73", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f13e08", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2018" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4e73", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1ac8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#22" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4e73", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f139a0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1ac8" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4afd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251496000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef9000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef9000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4ccf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\taskmgr.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\taskmgr.exe" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-05-28 22:01:57,256", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "ChangeWindowMessageFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "message", "value": "49238" }, { "name": "dwFlag", "value": "1" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "ChangeWindowMessageFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "message", "value": "49239" }, { "name": "dwFlag", "value": "1" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 1, "id": 637 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Local\\MSCTF.Asm.MutexDefault1" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 640 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "Milliseconds", "value": "2000" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000031c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\CTF.AsmListCache.FMPDefault1" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000031c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f70000" }, { "name": "SectionOffset", "value": "0xf09d76e090" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f70000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\taskmgr.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\taskmgr.exe" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 649 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "8192" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "CicLoadWinStaWinSta0" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtOpenMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Local\\MSCTF.CtfMonitorInstMutexDefault1" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 655 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "ValueName", "value": "LaunchUserOOBE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000310" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 672 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 674 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "textinputframework.dll" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\textinputframework.dll" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\textinputframework.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000318" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TextInputFramework.dll" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000f9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e2a000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e2a000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e2a000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e2a000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e2a000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreUIComponents.dll" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreMessaging.dll" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000318" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreUIComponents.dll" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72590000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0035b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 699 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7289c000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72748000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72748000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72748000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72748000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72748000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "ntmarta.dll" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CoreMessaging.dll" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "wintypes.dll" } ], "repeated": 2, "id": 708 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000318" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000f2000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72a86000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72a86000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72a86000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72a86000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72a86000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000318" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00033000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74820000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74814000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74814000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74814000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74814000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74814000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\CoreMessaging.dll" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000318" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000318" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000324" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71ec0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00155000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71ffd000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71fb6000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71fb6000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71fb6000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71fb6000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71fb5000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" } ], "repeated": 1, "id": 748 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e2a000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72a86000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74814000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71fb5000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72748000" }, { "name": "ModuleName", "value": "CoreUIComponents.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x8c\\x0c\\x7f\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x9a\\x0c\\x91\\x04\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x0c\\xa4\\x04\\x02\\x00\\x00\\x00\\xb2\\x0c\\xa6\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ffc747f0000" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x7ffc729f0000" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x7ffc71ec0000" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x7ffc72590000" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x7ffc69d70000" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\ntmarta" }, { "name": "BaseAddress", "value": "0x7ffc747f0000" }, { "name": "InitRoutine", "value": "0x7ffc747f6930" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\CoreMessaging" }, { "name": "BaseAddress", "value": "0x7ffc729f0000" }, { "name": "InitRoutine", "value": "0x7ffc72a470e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\WinTypes" }, { "name": "BaseAddress", "value": "0x7ffc71ec0000" }, { "name": "InitRoutine", "value": "0x7ffc71eead60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\CoreUIComponents" }, { "name": "BaseAddress", "value": "0x7ffc72590000" }, { "name": "InitRoutine", "value": "0x7ffc72612fe0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1e8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\TextInputFramework" }, { "name": "BaseAddress", "value": "0x7ffc69d70000" }, { "name": "InitRoutine", "value": "0x7ffc69dae8e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000008c" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76030000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7603a190" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76050170" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000364" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000368" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29252f50000" }, { "name": "SectionOffset", "value": "0xf09d76da70" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc773f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc773f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000001" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253290000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253290000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1e9000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\CTF\\" }, { "name": "Handle", "value": "0x00000368" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000368" }, { "name": "ValueName", "value": "EnableAnchorContext" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000368" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 792 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253390000" }, { "name": "RegionSize", "value": "0x00800000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 794 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "58" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-05-28 22:01:57,271", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000328" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 797 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000390" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc762a0000", "arguments": [ { "name": "lpLibFileName", "value": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "IsGUIThread" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762c8050" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 810 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 814 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 816 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003a0" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000039c" } ], "repeated": 0, "id": 819 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000398" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "RegisterClassExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762a72c0" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "CreateWindowExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762a7720" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 827 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "DefWindowProcW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806ccb0" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 831 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "SetWindowLongPtrW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762ab7c0" } ], "repeated": 0, "id": 832 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 834 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 835 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "SetTimer" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762c3c70" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 838 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc762a0000", "arguments": [ { "name": "lpLibFileName", "value": "ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2612" }, { "name": "FunctionAddress", "value": "0x7ffc762cbab0" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 842 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetWindowLongPtrW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762af830" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetWindowThreadProcessId" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762a3500" } ], "repeated": 0, "id": 847 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 849 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "SendMessageCallbackW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762c7e20" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b90000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b90000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 853 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003a4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-com-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77b70000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-com-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoCreateGuid" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77bc37e0" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 860 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253390000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 861 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 862 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2582" }, { "name": "FunctionAddress", "value": "0x7ffc762c70e0" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 864 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b92000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 866 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "srand", "status": true, "return": "0x00000000", "arguments": [ { "name": "seed", "value": "0x6a18bb55" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 868 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 871 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 873 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 874 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 875 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 877 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 878 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 879 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 880 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 881 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b8" } ], "repeated": 0, "id": 882 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 883 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 884 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b0" } ], "repeated": 0, "id": 885 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" }, { "name": "Handle", "value": "0x000003b4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" } ], "repeated": 0, "id": 886 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003b4" }, { "name": "ValueName", "value": "IsVailContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer" } ], "repeated": 0, "id": 887 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-05-28 22:01:57,287", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Input" }, { "name": "Handle", "value": "0x000003b4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input" } ], "repeated": 0, "id": 889 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003b4" }, { "name": "ValueName", "value": "ResyncResetTime" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003b4" }, { "name": "ValueName", "value": "MaxResyncAttempts" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts" } ], "repeated": 0, "id": 891 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003b4" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 893 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1c1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 895 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 897 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 899 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69e64000" }, { "name": "ModuleName", "value": "textinputframework.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 901 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 903 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "iertutil.dll" }, { "name": "ModuleHandle", "value": "0x4031c471a94c5fd2" } ], "repeated": 0, "id": 904 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76ee20" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 905 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 906 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4afd", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "USER32" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 907 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4afd", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ffc762a0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#32512" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 908 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4ccf", "parentcaller": "0x7ff6c28d4afd", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ffc762a0000" }, { "name": "Type", "value": "#22" }, { "name": "Name", "value": "#32512" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 909 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msctf.dll" }, { "name": "BaseAddress", "value": "0x7ffc77400000" } ], "repeated": 0, "id": 910 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77400000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\MSCTF.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 911 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d4afd", "parentcaller": "0x7ff6c28d6ebc", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d640d", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 913 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d640d", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d640d", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 915 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d640d", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQuerySystemInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806d690" } ], "repeated": 0, "id": 916 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d640d", "parentcaller": "0x7ff6c28d528d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "134" } ], "repeated": 0, "id": 917 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 919 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 921 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 923 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 924 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 925 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 926 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 927 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 928 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 929 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 930 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 931 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 933 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" }, { "name": "MutexName", "value": "Local\\SM0:7912:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 935 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 937 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 939 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 941 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 943 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 945 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\QfePolicyDefinitions\\{A48F1A32-A340-11D1-BC6B-00A0C90312E1}\\{572FD217-F7FF-479C-8D96-BC938D6867F5}" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\QfePolicyDefinitions\\{A48F1A32-A340-11D1-BC6B-00A0C90312E1}\\{572FD217-F7FF-479C-8D96-BC938D6867F5}" } ], "repeated": 0, "id": 947 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 948 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "policymanager.dll" } ], "repeated": 0, "id": 949 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" } ], "repeated": 0, "id": 950 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 951 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000003bc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" } ], "repeated": 0, "id": 952 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fce0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a1000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 953 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 955 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 957 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 958 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 959 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "msvcp110_win.dll" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 961 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 962 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" } ], "repeated": 0, "id": 963 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000003bc" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 964 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000003bc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" } ], "repeated": 0, "id": 965 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000003c0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74740000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0008a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 967 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 969 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 970 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 971 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003bc" } ], "repeated": 0, "id": 973 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 974 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0T N\\x92\\x02\\x00\\x00\\xd8\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe1\\x1fN\\x92\\x02\\x00\\x00t\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x1fN\\x92\\x02\\x00\\x00d\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00`L\\x1fN\\x92\\x02\\x00\\x00\\xf0\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0( N\\x92\\x02\\x00\\x00d\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01#N\\x92\\x02\\x00\\x00T\\x12\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 975 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 977 }, { "timestamp": "2026-05-28 22:01:57,303", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ffc6fce0000" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-05-28 22:01:57,318", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b93000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 979 }, { "timestamp": "2026-05-28 22:01:57,318", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp110_win" }, { "name": "BaseAddress", "value": "0x7ffc74740000" }, { "name": "InitRoutine", "value": "0x7ffc74785870" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-05-28 22:01:57,318", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\policymanager" }, { "name": "BaseAddress", "value": "0x7ffc6fce0000" }, { "name": "InitRoutine", "value": "0x7ffc6fce9ed0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 981 }, { "timestamp": "2026-05-28 22:01:57,318", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-05-28 22:01:57,318", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 983 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 985 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching" }, { "name": "Handle", "value": "0x000003c4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\PolicyType" } ], "repeated": 0, "id": 987 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "8225" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Behavior" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\MergeAlgorithm" } ], "repeated": 0, "id": 989 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirect" } ], "repeated": 0, "id": 991 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 992 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 993 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "Data", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirect" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RegValueNameRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegValueNameRedirect" } ], "repeated": 0, "id": 995 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "RegValueNameRedirect" }, { "name": "Data", "value": "HideFastUserSwitching" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegValueNameRedirect" } ], "repeated": 0, "id": 996 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\grouppolicyname" } ], "repeated": 0, "id": 997 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataUser" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataDevice" } ], "repeated": 0, "id": 999 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataBoth" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\30Value" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "Value" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Value" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" }, { "name": "Handle", "value": "0x000003c4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "HideFastUserSwitching" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\HideFastUserSwitching" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d6426", "parentcaller": "0x7ff6c28d528d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d53fd", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Handle", "value": "0x000003c4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d53fd", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c4" }, { "name": "ValueName", "value": "StartUpTab" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d53fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c4" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2026-05-28 22:01:57,350", "thread_id": "1496", "caller": "0x7ff6c28d62ef", "parentcaller": "0x7ff6c28d53fd", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b50d0", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "Comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b50d0", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "Comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b50a7", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DPA_Create" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e8e360" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b1fb2", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e271000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b1fda", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e274000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b2002", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e277000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b2055", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e27a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b2080", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e27d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0d59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0d59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0de4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0de4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\WindowsRuntime" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d4" }, { "name": "ObjectAttributesName", "value": "ActivatableClassId" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Networking.UX.UXManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager" } ], "repeated": 0, "id": 1025 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003dc" }, { "name": "KeyInformation", "value": "7_\\xffea\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00>\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00i\\x00n\\x00g\\x00.\\x00U\\x00X\\x00.\\x00U\\x00X\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff9d\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xffb8\\xffcf\\xffd93\\xfffc\\x7f\\x00\\x00\\xff90\\xffae&N\\xff92\\x02\\x00\\x00\\xfff8\\xff81\\xffd93\\xfffc\\x7f\\x00\\x00\\x19\\x01\\x02\\x00\\xff92\\x02\\x00\\x002\\xffcb#\\xffbeK\\xffb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00\\x08\\xfff0v\\xff9d\\xfff0\\x00\\x00\\x00\\xff82\\xffce#\\xffbeK\\xffb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\x13&N\\xff92\\x02\\x00\\x000z\\xff98\\xffc2\\xfff6\\x7f\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\xffe07&N\\xff92\\x02\\x00\\x00P\\xfff0v\\xff9d\\xfff0\\x00\\x00\\x00\\xffe4I\\xffb73\\xfffc\\x7f\\x00\\x000z\\xff98\\xffc2\\xfff6\\x7f\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff9d\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xffb8\\xffcf\\xffd93\\xfffc\\x7f\\x00\\x00\\xffe07&N\\xff92\\x02\\x00\\x00\\xfff8\\xff81\\xffd93\\xfffc\\x7f\\x00\\x00\\x19\\x01\\x02\\x00\\xff92\\x02\\x00\\x00h\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xffd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00@\\xfff0v\\xff9d\\xfff0\\x00\\x00\\x00\\xff98\\xff85\\xffd93\\xfffc\\x7f\\x00\\x00P\\xfff0v\\xff9d\\xfff0\\x00\\x00\\x00P0&N\\xff92\\x02\\x00\\x00\\xffb0t\\xffbcw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xffd0\\xfff1v\\xff9d\\xfff0\\x00\\x00\\x00\\xffe07&N\\xff92\\x02\\x00\\x00\\xffe0\\x13&N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x00l0&N\\xff92\\x02\\x00\\x000\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xffd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00@\\xfff0v\\xff9d\\xfff0\\x00\\x00\\x00@\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd07&N\\xff92\\x02\\x00\\x00\\x19h\\xffbcw\\xfffc\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivationType" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Server" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\NetworkUXBroker.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\DllPath" } ], "repeated": 0, "id": 1029 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Threading" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\TrustLevel" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000003dc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\CustomAttributes" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\RemoteServer" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateAsUser" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Permissions" } ], "repeated": 0, "id": 1037 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE\\Diagnosis" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 1040 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003dc" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0\\xf2v\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xff\\xff\\xff\\xff\\xf8\\x81\\xd93\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xc0\\xd93\\xfc\\x7f\\x00\\x00\\x88\\xf3v\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\x02ru\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000003dc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003dc" }, { "name": "ValueName", "value": "MaxSxSHashCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount" } ], "repeated": 0, "id": 1045 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003dc" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2026-05-28 22:01:57,396", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\NetworkUXBroker" }, { "name": "DllBase", "value": "0x7ffc68f00000" } ], "repeated": 0, "id": 1047 }, { "timestamp": "2026-05-28 22:01:57,412", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\NetworkUXBroker.dll" }, { "name": "BaseAddress", "value": "0x7ffc68f00000" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2026-05-28 22:01:57,412", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc68f00000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\NetworkUXBroker.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2026-05-28 22:01:57,412", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "NetworkUXBroker.dll" }, { "name": "ModuleHandle", "value": "0x7ffc68f00000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc68f02930" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2026-05-28 22:01:57,412", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "NetworkUXBroker.dll" }, { "name": "ModuleHandle", "value": "0x7ffc68f00000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc68f02750" } ], "repeated": 0, "id": 1051 }, { "timestamp": "2026-05-28 22:01:57,412", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "NetworkUXBroker.dll" }, { "name": "ModuleHandle", "value": "0x7ffc68f00000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc68f02d40" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc68f65000" }, { "name": "ModuleName", "value": "NetworkUXBroker.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1053 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc68f65000" }, { "name": "ModuleName", "value": "NetworkUXBroker.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc68f65000" }, { "name": "ModuleName", "value": "NetworkUXBroker.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc68f65000" }, { "name": "ModuleName", "value": "NetworkUXBroker.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1056 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b35bf", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1057 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000e" }, { "name": "TokenHandle", "value": "0x000003e4" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003e4" }, { "name": "ValueName", "value": "shellExperience" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience" } ], "repeated": 0, "id": 1061 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xf0v\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00 \\x02\\x00\\x00\\xd0\\x81<%\\x1e2\\x005\\xb7x)\\x13I=\\x97*\\xee\\xce'\\xd6\\x97\\xec#0mJQa\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e4" } ], "repeated": 0, "id": 1063 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e8" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b94000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1065 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x2924e25eac0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "ServicesActive" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "SC_MANAGER_CONNECT" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2924e25eaf0", "arguments": [ { "name": "ServiceControlManager", "value": "0x2924e25eac0" }, { "name": "ServiceName", "value": "wlansvc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "2700", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1068 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "2700", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x2924e1f0b50" } ], "repeated": 0, "id": 1069 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "2700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e280000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x2924e25e970", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "ServicesActive" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "SC_MANAGER_CONNECT" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2924e25e9a0", "arguments": [ { "name": "ServiceControlManager", "value": "0x2924e25e970" }, { "name": "ServiceName", "value": "wwansvc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Control\\NetworkUXManager" }, { "name": "Handle", "value": "0x000003ec" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkUXManager" } ], "repeated": 0, "id": 1073 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "Windows.Networking.UX.Internal.DAMediaManager" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003ec" }, { "name": "SubKey", "value": "Windows.Networking.UX.Internal.DAMediaManager" }, { "name": "Handle", "value": "0x000003f0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager" } ], "repeated": 0, "id": 1075 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Active" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\Active" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "MediaType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\MediaType" } ], "repeated": 0, "id": 1077 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "Windows.Networking.UX.Internal.EthernetMediaManager" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003ec" }, { "name": "SubKey", "value": "Windows.Networking.UX.Internal.EthernetMediaManager" }, { "name": "Handle", "value": "0x000003f0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Active" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\Active" } ], "repeated": 0, "id": 1081 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "MediaType" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\MediaType" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "Windows.Networking.UX.Internal.MBMediaManager" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003ec" }, { "name": "SubKey", "value": "Windows.Networking.UX.Internal.MBMediaManager" }, { "name": "Handle", "value": "0x000003f0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Active" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\Active" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "MediaType" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\MediaType" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "Windows.Networking.UX.Internal.RasMediaManager" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003ec" }, { "name": "SubKey", "value": "Windows.Networking.UX.Internal.RasMediaManager" }, { "name": "Handle", "value": "0x000003f0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Active" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\Active" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "MediaType" }, { "name": "Data", "value": "5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\MediaType" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003ec" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "Windows.Networking.UX.Internal.WlanMediaManager" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003ec" }, { "name": "SubKey", "value": "Windows.Networking.UX.Internal.WlanMediaManager" }, { "name": "Handle", "value": "0x000003f0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "Active" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\Active" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "ValueName", "value": "MediaType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\MediaType" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b36c5", "parentcaller": "0x7ff6c28b3545", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x000003ec" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b20ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e282000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b2b84", "parentcaller": "0x7ff6c28b20bb", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b20e6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e285000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d2d65", "parentcaller": "0x7ff6c28d467a", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 3, "id": 1103 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d2d65", "parentcaller": "0x7ff6c28d467a", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1104 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d2d65", "parentcaller": "0x7ff6c28d467a", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d2d65", "parentcaller": "0x7ff6c28d467a", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\DirectUI\\DynamicScaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI\\DynamicScaling" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d1165", "parentcaller": "0x7ff6c28d1076", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000020" }, { "name": "TokenHandle", "value": "0x000003f4" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d11eb", "parentcaller": "0x7ff6c28d1076", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f4" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28d10b8", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000003fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x2924e26cd50" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "5448" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "taskmgr.exe" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28d10b8", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000003fc", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x2924e26cd50" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "5448" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1948", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "UIFILE" }, { "name": "Name", "value": "#30024" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2e058", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1948" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000061e0", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1948" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60389000" }, { "name": "ModuleName", "value": "DUI70.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60389000" }, { "name": "ModuleName", "value": "DUI70.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1115 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 2, "id": 1116 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e28a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e28d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e290000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e292000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 2, "id": 1122 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1123 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1125 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e294000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1127 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1129 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1130 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1131 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e296000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1133 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e298000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e299000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1135 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e29c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e29e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1137 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1138 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2de5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e29f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1139 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1938", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "UIFILE" }, { "name": "Name", "value": "#30001" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f34238", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1938" } ], "repeated": 0, "id": 1141 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000f328", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1938" } ], "repeated": 0, "id": 1142 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 1143 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2a2000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2a5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2a6000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1146 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2a8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1153 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2a9000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1156 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2ab000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2ae000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2b0000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2b3000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2b5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d3045", "parentcaller": "0x7ff6c28d2e31", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2b8000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4216", "parentcaller": "0x7ff6c28d2e44", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 1163 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2ba000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1164 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2bf000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2c4000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2c9000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1167 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2ce000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1168 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2d3000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2d8000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1e98", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2327" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1171 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bc708", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1e98" } ], "repeated": 0, "id": 1172 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1e88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2326" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bc4a0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1e88" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2dd000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1fd8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2688" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1be3f4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1fd8" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1fd8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2688" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1be3f4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1fd8" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1e98", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2327" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bc708", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1e98" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1182 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x2924e26cd50" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1b88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2089" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b75bc", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1b88" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28bbc41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2e0000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1186 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2e3000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1187 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28b17c4", "parentcaller": "0x7ff6c28b1834", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000408" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff6c28b3a10" }, { "name": "Parameter", "value": "0x2924e2e1bd0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "7832" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "taskmgr.exe" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28b17c4", "parentcaller": "0x7ff6c28b1834", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000408", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff6c28b3a10" }, { "name": "Parameter", "value": "0x2924e2e1bd0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "7832" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2e8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28b1bcb", "parentcaller": "0x7ff6c28b184d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "FILE_READ_ACCESS" }, { "name": "FileName", "value": "\\Device\\PcwDrv" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1191 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2139" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28b1bcb", "parentcaller": "0x7ff6c28b184d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224003" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e2e9000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2139" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1197 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba724", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c88" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28b1c48", "parentcaller": "0x7ff6c28b184d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\xfd*\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xfc\\x7f\\x00\\x00\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x98\\xc2\\xf6\\x7f\\x00\\x00\\xc0x\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1199 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c98", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2140" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba768", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c98" } ], "repeated": 0, "id": 1201 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28b1d04", "parentcaller": "0x7ff6c28b184d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224003" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c98", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2140" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1203 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba768", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c98" } ], "repeated": 0, "id": 1204 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "5448", "caller": "0x7ff6c28b1d7c", "parentcaller": "0x7ff6c28b184d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x00\\xfd0\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xfc\\x7f\\x00\\x00\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xc8x\\x98\\xc2\\xf6\\x7f\\x00\\x00\\xc0x\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 1, "id": 1206 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e20000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e20000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e22000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "7832", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1210 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "7832", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28b3a10" }, { "name": "Parameter", "value": "0x2924e2e1bd0" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "7832", "caller": "0x7ff6c28b5d5f", "parentcaller": "0x7ff6c28b3a61", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000041c" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "7832", "caller": "0x7ff6c28b5d5f", "parentcaller": "0x7ff6c28b3a61", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000420" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2026-05-28 22:01:57,428", "thread_id": "7832", "caller": "0x7ff6c28b3c77", "parentcaller": "0x7ff6c28b3c07", "category": "system", "api": "CreateTimerQueueTimer", "status": true, "return": "0x00000001", "arguments": [ { "name": "phNewTimer", "value": "0x2924e2a6060" }, { "name": "TimerQueue", "value": "0x00000000" }, { "name": "Callback", "value": "0xc2914c70" }, { "name": "Parameter", "value": "0x9de7fcc0" }, { "name": "DueTime", "value": "5000" }, { "name": "Period", "value": "1000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1214 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b4d7a", "parentcaller": "0x7ff6c28b483b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\srumapi" }, { "name": "DllBase", "value": "0x7ffc65120000" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xb6\\xfb\\\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1c{?\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa2/\\xbdz\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x006M\\x88\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\x0eT8\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00;\\xfc\\xcfz\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x009M\\x88\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00k\\xaa88\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00n\\x06\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b15f8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e25000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28b163d", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000043c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e23040" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "520" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "taskmgr.exe" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28b163d", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000043c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e23040" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "520" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b1647", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e28000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b1692", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e2b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28b170d", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000044c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e2b950" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "608" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "taskmgr.exe" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28b170d", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000044c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e2b950" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "608" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 1227 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28e3417", "parentcaller": "0x7ff6c28b28b7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e2e000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b2cfb", "parentcaller": "0x7ff6c28b2c19", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000454" }, { "name": "DesiredAccess", "value": "0x00000006" }, { "name": "ObjectAttributes", "value": "windows_shell_global_counters" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b2cfb", "parentcaller": "0x7ff6c28b2c19", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000454" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f70000" }, { "name": "SectionOffset", "value": "0xf09ddff650" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b2cfb", "parentcaller": "0x7ff6c28b2c19", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b2cfb", "parentcaller": "0x7ff6c28b2c19", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 1232 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1233 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28b28f3", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000460" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e2dc40" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "612" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "taskmgr.exe" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b305b", "parentcaller": "0x7ff6c28b28f3", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000460", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e2dc40" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "612" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb4\\xe8\\x9c\\x00\\x00\\x00\\x00\\x00\\xb4\\xb1\\x94\t?\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b4d7a", "parentcaller": "0x7ff6c28b483b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "srumapi.dll" }, { "name": "BaseAddress", "value": "0x7ffc65120000" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b4d7a", "parentcaller": "0x7ff6c28b483b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc65120000", "arguments": [ { "name": "lpLibFileName", "value": "srumapi.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b4865", "parentcaller": "0x7ff6c28b3839", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "srumapi.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65120000" }, { "name": "FunctionName", "value": "SruRegisterRealTimeStats" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc65121290" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b4889", "parentcaller": "0x7ff6c28b3839", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "srumapi.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65120000" }, { "name": "FunctionName", "value": "SruQueryStats" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc65122220" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b48ad", "parentcaller": "0x7ff6c28b3839", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "srumapi.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65120000" }, { "name": "FunctionName", "value": "SruFreeRecordSet" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc651220d0" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b48d1", "parentcaller": "0x7ff6c28b3839", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "srumapi.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65120000" }, { "name": "FunctionName", "value": "SruUnregisterRealTimeStats" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc65124d30" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b3ab7", "parentcaller": "0x00000000", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1244 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b3c77", "parentcaller": "0x7ff6c28b3ad3", "category": "system", "api": "CreateTimerQueueTimer", "status": true, "return": "0x00000001", "arguments": [ { "name": "phNewTimer", "value": "0x2924e2a5c00" }, { "name": "TimerQueue", "value": "0x00000000" }, { "name": "Callback", "value": "0xc2914c70" }, { "name": "Parameter", "value": "0x9de7fcc0" }, { "name": "DueTime", "value": "5000" }, { "name": "Period", "value": "1000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\atlthunk" }, { "name": "DllBase", "value": "0x7ffc65620000" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000004", "pretty_return": "INFO_LENGTH_MISMATCH", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 1247 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28b84ea", "parentcaller": "0x7ff6c28bac5d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e31000" }, { "name": "RegionSize", "value": "0x00037000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "atlthunk.dll" }, { "name": "BaseAddress", "value": "0x7ffc65620000" } ], "repeated": 0, "id": 1249 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc65620000", "arguments": [ { "name": "lpLibFileName", "value": "atlthunk.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "atlthunk.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65620000" }, { "name": "FunctionName", "value": "AtlThunk_AllocateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc65624300" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "atlthunk.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65620000" }, { "name": "FunctionName", "value": "AtlThunk_InitData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc65624590" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "atlthunk.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65620000" }, { "name": "FunctionName", "value": "AtlThunk_DataToCode" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc65624010" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "atlthunk.dll" }, { "name": "ModuleHandle", "value": "0x7ffc65620000" }, { "name": "FunctionName", "value": "AtlThunk_FreeData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc656245b0" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e85670" } ], "repeated": 0, "id": 1257 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1258 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e23040" } ], "repeated": 0, "id": 1259 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d63bd", "parentcaller": "0x7ff6c28d5dd1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e68000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d63bd", "parentcaller": "0x7ff6c28d5dd1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d63bd", "parentcaller": "0x7ff6c28d5dd1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d63bd", "parentcaller": "0x7ff6c28d5dd1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d63bd", "parentcaller": "0x7ff6c28d5dd1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d63bd", "parentcaller": "0x7ff6c28d5dd1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1267 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e2b950" } ], "repeated": 0, "id": 1268 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b95000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1270 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x29253e2dc40" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c290b626", "parentcaller": "0x7ff6c297a184", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000047c" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c290b781", "parentcaller": "0x7ff6c297a184", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xc5.N\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c290b882", "parentcaller": "0x7ff6c297a184", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 1274 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0e7b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0e7b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WTSAPI32.dll" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wtsapi32.dll" } ], "repeated": 0, "id": 1279 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a3ec", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000047c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo1.xml" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1280 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28b3f08", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000488" } ], "repeated": 0, "id": 1281 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28b3f08", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1282 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a43a", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo1.xml" } ], "repeated": 0, "id": 1283 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a38b", "parentcaller": "0x7ff6c297a634", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 1284 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000480" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000484" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wtsapi32.dll" } ], "repeated": 0, "id": 1285 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000480" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b20000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00014000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1286 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2118", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38600" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1287 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2aec0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2118" } ], "repeated": 0, "id": 1288 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b2b000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1289 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1ec8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#86" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1290 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b2b000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1291 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2aa58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1ec8" } ], "repeated": 0, "id": 1292 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b2b000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1293 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b2b000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1294 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b2b000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1295 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e71000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1296 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000480" } ], "repeated": 0, "id": 1297 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" } ], "repeated": 0, "id": 1298 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b2b000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1299 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\WTSAPI32" }, { "name": "DllBase", "value": "0x7ffc72b20000" } ], "repeated": 0, "id": 1300 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1301 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1302 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1303 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1304 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1305 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ffc756e07f5", "parentcaller": "0x7ffc75725826", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1306 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e74000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1307 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2924e2b4c20", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1308 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1309 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2924e2b4e00", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1310 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1311 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2924e2b4e00", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1312 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 1313 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1314 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 1315 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb0\\x96\\xe5\\x00\\x00\\x00\\x00\\x00\\x14\\x96\\x90\n?\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 1316 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 1317 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1318 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wtsapi32" }, { "name": "BaseAddress", "value": "0x7ffc72b20000" }, { "name": "InitRoutine", "value": "0x7ffc72b228c0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1319 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1320 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1321 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "windows.storage.dll" } ], "repeated": 0, "id": 1322 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d5dec", "parentcaller": "0x7ff6c28de0ed", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b31000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1323 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "520", "caller": "0x7ff6c28d5dec", "parentcaller": "0x7ff6c28de0ed", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b31000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1324 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 1325 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1326 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000488" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000048c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 1327 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000488" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73790000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0079b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1328 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1329 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1330 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1331 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1332 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1333 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da1000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1334 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "Wldp.dll" } ], "repeated": 0, "id": 1335 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000488" } ], "repeated": 0, "id": 1336 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1337 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 1338 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000048c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1339 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000488" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000048c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 1340 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000488" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75020000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0002d000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1341 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75049000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1342 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1343 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1344 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1345 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1346 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1347 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000488" } ], "repeated": 0, "id": 1348 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 1349 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da1000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1350 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1351 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1352 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\Wldp" }, { "name": "DllBase", "value": "0x7ffc75020000" } ], "repeated": 0, "id": 1353 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ffc73790000" } ], "repeated": 0, "id": 1354 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "ValueName", "value": "en-AU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-AU" } ], "repeated": 0, "id": 1355 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc65130000" }, { "name": "ModuleName", "value": "srumapi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1356 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000364" }, { "name": "ValueName", "value": "en" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en" } ], "repeated": 0, "id": 1357 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-eventing-provider-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 1358 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "EventSetInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012af0" } ], "repeated": 0, "id": 1359 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wldp" }, { "name": "BaseAddress", "value": "0x7ffc75020000" }, { "name": "InitRoutine", "value": "0x7ffc75023200" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1360 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 1361 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78039f40" } ], "repeated": 0, "id": 1362 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75723890" } ], "repeated": 0, "id": 1363 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "WakeAllConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78025430" } ], "repeated": 0, "id": 1364 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a3ec", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo2.xml" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1365 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a43a", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo2.xml" } ], "repeated": 0, "id": 1366 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a38b", "parentcaller": "0x7ff6c297a634", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1367 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a3ec", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo3.xml" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1368 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a43a", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo3.xml" } ], "repeated": 0, "id": 1369 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a38b", "parentcaller": "0x7ff6c297a634", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1370 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a3ec", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo4.xml" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1371 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a43a", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo4.xml" } ], "repeated": 0, "id": 1372 }, { "timestamp": "2026-05-28 22:01:57,443", "thread_id": "612", "caller": "0x7ff6c297a38b", "parentcaller": "0x7ff6c297a634", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1373 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1374 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1375 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 1376 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e76000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1377 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000049c" }, { "name": "MutexName", "value": "Local\\SessionImmersiveColorMutex" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 1378 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000049c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1379 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004a0" }, { "name": "DesiredAccess", "value": "0x000f001f" }, { "name": "ObjectAttributes", "value": "Local\\SessionImmersiveColorPreference" } ], "repeated": 0, "id": 1380 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004a0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f80000" }, { "name": "SectionOffset", "value": "0xf09d76ebe0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1381 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "612", "caller": "0x7ff6c297a3ec", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1382 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1383 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "612", "caller": "0x7ff6c297a43a", "parentcaller": "0x7ff6c297a634", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } ], "repeated": 0, "id": 1384 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1385 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004a8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1386 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "612", "caller": "0x7ff6c297a6be", "parentcaller": "0x7ff6c297b1f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1387 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "612", "caller": "0x7ff6c297a6be", "parentcaller": "0x7ff6c297b1f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1388 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004ac" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004a8" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 1389 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 1390 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 1391 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 1392 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000049c" } ], "repeated": 0, "id": 1393 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "612", "caller": "0x7ff6c297a6be", "parentcaller": "0x7ff6c297b1f4", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1394 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "612", "caller": "0x7ff6c297a6be", "parentcaller": "0x7ff6c297b1f4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b96000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1395 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1396 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 8, "id": 1397 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28c9cd4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 1398 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28c9cd4", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1399 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28c9cd4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e85670" } ], "repeated": 0, "id": 1400 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28c9cd4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001022" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1401 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28c9cd4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1402 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28c9cd4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1403 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c28c9cd4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1404 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28c9e14", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 1405 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28c9e14", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQuerySystemInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806d690" } ], "repeated": 0, "id": 1406 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28c9e14", "parentcaller": "0x7ff6c28d4000", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "134" } ], "repeated": 0, "id": 1407 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1408 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x000004a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 1409 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004a8" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 1410 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 1411 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000004bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2924e2ec050" }, { "name": "CreateFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "60" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 1412 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1413 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1414 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 1415 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1416 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e85670" } ], "repeated": 0, "id": 1417 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 2, "id": 1418 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "60", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1419 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "2700", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004c4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1420 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "2700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253e8b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1421 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1004", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1422 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1423 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1424 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1425 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 1426 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 1427 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\windows.storage" }, { "name": "BaseAddress", "value": "0x7ffc73790000" }, { "name": "InitRoutine", "value": "0x7ffc739492f0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1428 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1429 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1b61", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1430 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1431 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1432 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WINSTA.dll" } ], "repeated": 0, "id": 1433 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1434 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1435 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\winsta.dll" } ], "repeated": 0, "id": 1436 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000504" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1437 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1438 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1439 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000500" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winsta.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1440 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "ProgramFilesX86" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name" } ], "repeated": 0, "id": 1441 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder" } ], "repeated": 0, "id": 1442 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description" } ], "repeated": 0, "id": 1443 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath" } ], "repeated": 0, "id": 1444 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc753aa000" }, { "name": "ModuleName", "value": "WINSTA.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1445 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName" } ], "repeated": 0, "id": 1446 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc753aa000" }, { "name": "ModuleName", "value": "WINSTA.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1447 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip" } ], "repeated": 0, "id": 1448 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 1449 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 1450 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21817" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName" } ], "repeated": 0, "id": 1451 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon" } ], "repeated": 0, "id": 1452 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security" } ], "repeated": 0, "id": 1453 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "520", "caller": "0x7ff6c28d5dec", "parentcaller": "0x7ff6c28de0ed", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1454 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType" } ], "repeated": 0, "id": 1455 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1456 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable" } ], "repeated": 0, "id": 1457 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate" } ], "repeated": 0, "id": 1458 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream" } ], "repeated": 0, "id": 1459 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath" } ], "repeated": 0, "id": 1460 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags" } ], "repeated": 0, "id": 1461 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes" } ], "repeated": 0, "id": 1462 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID" } ], "repeated": 0, "id": 1463 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler" } ], "repeated": 0, "id": 1464 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1465 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1466 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000508" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x0000050c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag" } ], "repeated": 0, "id": 1467 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1468 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1469 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "Handle", "value": "0x00000508" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 1470 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "ProgramFilesDir (x86)" }, { "name": "Data", "value": "C:\\Program Files (x86)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)" } ], "repeated": 0, "id": 1471 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1472 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 1473 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1474 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1475 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004fc" } ], "repeated": 0, "id": 1476 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1477 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\xb7\\xf7\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1478 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000508" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1479 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000508" }, { "name": "SubKey", "value": "{6D809377-6AF0-444B-8957-A3773F02200E}" }, { "name": "Handle", "value": "0x00000514" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444B-8957-A3773F02200E}" } ], "repeated": 0, "id": 1480 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1481 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category" } ], "repeated": 0, "id": 1482 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "ProgramFilesX64" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name" } ], "repeated": 0, "id": 1483 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder" } ], "repeated": 0, "id": 1484 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description" } ], "repeated": 0, "id": 1485 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath" } ], "repeated": 0, "id": 1486 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName" } ], "repeated": 0, "id": 1487 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip" } ], "repeated": 0, "id": 1488 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName" } ], "repeated": 0, "id": 1489 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon" } ], "repeated": 0, "id": 1490 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security" } ], "repeated": 0, "id": 1491 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource" } ], "repeated": 0, "id": 1492 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType" } ], "repeated": 0, "id": 1493 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1494 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable" } ], "repeated": 0, "id": 1495 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000514" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate" } ], "repeated": 0, "id": 1496 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream" } ], "repeated": 0, "id": 1497 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath" } ], "repeated": 0, "id": 1498 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags" } ], "repeated": 0, "id": 1499 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xdev\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\x1e\\xa5u\\xfc\\x7f\\x00\\x00\\x8b}*v\\xfc\\x7f\\x00\\x00Xy*v\\x00\\x00\\x00\\x00\\xa2w*v\\xfc\\x7f\\x00\\x00`\\xc2*v\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 1500 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc738388aa", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes" } ], "repeated": 0, "id": 1501 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 0, "id": 1502 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID" } ], "repeated": 0, "id": 1503 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1504 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler" } ], "repeated": 0, "id": 1505 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000514" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PropertyBag" } ], "repeated": 0, "id": 1506 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1507 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 1508 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000508" } ], "repeated": 0, "id": 1509 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1510 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "Handle", "value": "0x00000514" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 1511 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" }, { "name": "ValueName", "value": "ProgramFilesDir" }, { "name": "Data", "value": "C:\\Program Files" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir" } ], "repeated": 0, "id": 1512 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "EnableBalloonTips" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips" } ], "repeated": 0, "id": 1513 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004fc" } ], "repeated": 0, "id": 1514 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1515 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\xb7\\xf7\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1516 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "ListviewAlphaSelect" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect" } ], "repeated": 0, "id": 1517 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000514" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1518 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "ListviewShadow" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow" } ], "repeated": 0, "id": 1519 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1520 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000514" }, { "name": "SubKey", "value": "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" }, { "name": "Handle", "value": "0x00000518" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" } ], "repeated": 0, "id": 1521 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000514" } ], "repeated": 0, "id": 1522 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category" } ], "repeated": 0, "id": 1523 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "Handle", "value": "0x00000510" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 1524 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder" } ], "repeated": 0, "id": 1525 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 1526 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description" } ], "repeated": 0, "id": 1527 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath" } ], "repeated": 0, "id": 1528 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000510" } ], "repeated": 0, "id": 1529 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName" } ], "repeated": 0, "id": 1530 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip" } ], "repeated": 0, "id": 1531 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1532 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName" } ], "repeated": 0, "id": 1533 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon" } ], "repeated": 0, "id": 1534 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security" } ], "repeated": 0, "id": 1535 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource" } ], "repeated": 0, "id": 1536 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType" } ], "repeated": 0, "id": 1537 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1538 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable" } ], "repeated": 0, "id": 1539 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate" } ], "repeated": 0, "id": 1540 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream" } ], "repeated": 0, "id": 1541 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath" } ], "repeated": 0, "id": 1542 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags" } ], "repeated": 0, "id": 1543 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1544 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes" } ], "repeated": 0, "id": 1545 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID" } ], "repeated": 0, "id": 1546 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler" } ], "repeated": 0, "id": 1547 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000518" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000514" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag" } ], "repeated": 0, "id": 1548 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000050a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000051e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26460E96-1D01-43E4-9FB8-B7ED958F362B}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1549 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 1550 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004fc" } ], "repeated": 0, "id": 1551 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1552 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\xb7\\xf7\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1553 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{71A5EC7F-F325-4376-9D94-622C372E256F}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26460E96-1D01-43E4-9FB8-B7ED958F362B}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1554 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051e" } ], "repeated": 0, "id": 1555 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ffc7383831a", "parentcaller": "0x7ffc73838fd2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000518" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1556 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1557 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1558 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1559 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000518" }, { "name": "SubKey", "value": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" }, { "name": "Handle", "value": "0x00000520" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" } ], "repeated": 0, "id": 1560 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000051c" } ], "repeated": 0, "id": 1561 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 1562 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1563 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "(n\\xe8S\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1564 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category" } ], "repeated": 0, "id": 1565 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90n\\xe8S\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1566 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1567 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "x\\xb3\\xe7S\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1568 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "System" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name" } ], "repeated": 0, "id": 1569 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1570 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder" } ], "repeated": 0, "id": 1571 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\xe8S\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00x\\xdc\\xe7\\x9d\\xf0\\x00\\x00\\x00\\x1c\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\xa2\\xd93" } ], "repeated": 0, "id": 1572 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description" } ], "repeated": 0, "id": 1573 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0\\\\xe8S\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1574 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath" } ], "repeated": 0, "id": 1575 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName" } ], "repeated": 0, "id": 1576 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\"\\xf5\\xb2\\xbeK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xf0\\xda\\xe7\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xda\\xe7\\x9d\\xf0\\x00\\x00\\x00\\xb8\\xda\\xe7\\x9d\\xf0\\x00\\x00\\x00\\xd8\\xda\\xe7\\x9d" } ], "repeated": 0, "id": 1577 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip" } ], "repeated": 0, "id": 1578 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 1579 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName" } ], "repeated": 0, "id": 1580 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon" } ], "repeated": 0, "id": 1581 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security" } ], "repeated": 0, "id": 1582 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource" } ], "repeated": 0, "id": 1583 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType" } ], "repeated": 0, "id": 1584 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1585 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable" } ], "repeated": 0, "id": 1586 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate" } ], "repeated": 0, "id": 1587 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream" } ], "repeated": 0, "id": 1588 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath" } ], "repeated": 0, "id": 1589 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 1590 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 1591 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes" } ], "repeated": 0, "id": 1592 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID" } ], "repeated": 0, "id": 1593 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler" } ], "repeated": 0, "id": 1594 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000520" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000518" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag" } ], "repeated": 0, "id": 1595 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 1596 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 1597 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 1598 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251498000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1599 }, { "timestamp": "2026-05-28 22:01:57,459", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000508" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 1600 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000508" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 1601 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1602 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "UxSubclassInfo" }, { "name": "Atom", "value": "0x0000c018" } ], "repeated": 1, "id": 1603 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x000004fc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 1604 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004fc" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 1605 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 1606 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df349", "parentcaller": "0x7ff6c28d4000", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 3, "id": 1607 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28df349", "parentcaller": "0x7ff6c28d4000", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001022" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 1608 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1609 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253eaa000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1610 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1611 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1612 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "7832", "caller": "0x7ff6c28b59e7", "parentcaller": "0x7ff6c28b3b10", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000504" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004fc" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1613 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2128", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38601" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1614 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2b340", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2128" } ], "repeated": 0, "id": 1615 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1ed8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#87" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1616 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000520" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 1617 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 1618 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 1619 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1620 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1621 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000520" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 1622 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4000", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 1623 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e87240", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1624 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1625 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 1626 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86520", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1627 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ead000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1628 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86d60", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1629 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1630 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253eb0000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1631 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253eb3000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1632 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28da3ae", "parentcaller": "0x7ff6c28d4106", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253eb8000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1633 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1f28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2438" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1634 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd3d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1f28" } ], "repeated": 0, "id": 1635 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1f28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2438" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1636 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd3d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1f28" } ], "repeated": 0, "id": 1637 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ebb000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1638 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1f28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2438" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1639 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd3d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1f28" } ], "repeated": 0, "id": 1640 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1f28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2438" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1641 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd3d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1f28" } ], "repeated": 0, "id": 1642 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ebe000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1643 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1f38", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2439" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1644 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd778", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1f38" } ], "repeated": 0, "id": 1645 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1fa8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2565" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1646 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bdf94", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1fa8" } ], "repeated": 0, "id": 1647 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1fa8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2565" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1648 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bdf94", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1fa8" } ], "repeated": 0, "id": 1649 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ec1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1650 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ec3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1651 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1e88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2326" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1652 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bc4a0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1e88" } ], "repeated": 0, "id": 1653 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ec6000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1654 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ec9000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1655 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ecb000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1656 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28d4106", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ed4000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1657 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ed7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1658 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ed9000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1659 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ee2000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1660 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ee7000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1661 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1662 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2138", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38602" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1663 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2b7c0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2138" } ], "repeated": 0, "id": 1664 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1ee8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#88" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1665 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2b358", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1ee8" } ], "repeated": 0, "id": 1666 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1667 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1668 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1669 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1670 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 1671 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1672 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86a00", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1673 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1674 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e85d40", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1675 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1676 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86ee0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1677 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1678 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 1679 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 1680 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ef0000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1681 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31222" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1682 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1683 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\winsta" }, { "name": "BaseAddress", "value": "0x7ffc75370000" }, { "name": "InitRoutine", "value": "0x7ffc7537b910" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1684 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b31000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1685 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b31000" }, { "name": "ModuleName", "value": "WTSAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1686 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc753c8000" }, { "name": "ModuleName", "value": "WINSTA.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1687 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc753c8000" }, { "name": "ModuleName", "value": "WINSTA.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1688 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 1689 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77fd0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 1690 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlGetSuiteMask" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7800cc10" } ], "repeated": 0, "id": 1691 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc753c8000" }, { "name": "ModuleName", "value": "WINSTA.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1692 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc753c8000" }, { "name": "ModuleName", "value": "WINSTA.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1693 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000528" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1694 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "EventName", "value": "Global\\TermSrvReadyEvent" } ], "repeated": 0, "id": 1695 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1696 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1697 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1698 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "XmlLite.dll" } ], "repeated": 0, "id": 1699 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\xmllite.dll" } ], "repeated": 0, "id": 1700 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\xmllite.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1701 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000534" }, { "name": "FileName", "value": "C:\\Windows\\System32\\xmllite.dll" } ], "repeated": 0, "id": 1702 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000508" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc711f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00036000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1703 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71219000" }, { "name": "ModuleName", "value": "XmlLite.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1704 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71219000" }, { "name": "ModuleName", "value": "XmlLite.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1705 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71219000" }, { "name": "ModuleName", "value": "XmlLite.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1706 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71219000" }, { "name": "ModuleName", "value": "XmlLite.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1707 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71219000" }, { "name": "ModuleName", "value": "XmlLite.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1708 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1709 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1710 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71219000" }, { "name": "ModuleName", "value": "XmlLite.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1711 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\XmlLite" }, { "name": "DllBase", "value": "0x7ffc711f0000" } ], "repeated": 0, "id": 1712 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2148", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38603" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1713 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2bc40", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2148" } ], "repeated": 0, "id": 1714 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1ef8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#89" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1715 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2b7d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1ef8" } ], "repeated": 0, "id": 1716 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1717 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1718 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1719 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1720 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e85d40", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1721 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1722 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1723 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1724 }, { "timestamp": "2026-05-28 22:01:57,475", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e87300", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1725 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1726 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e862e0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1727 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1728 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28dea27", "parentcaller": "0x7ff6c28bae2b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1729 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000534" } ], "repeated": 0, "id": 1730 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1731 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1732 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" }, { "name": "EventName", "value": "Global\\TermSrvReadyEvent" } ], "repeated": 0, "id": 1733 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1734 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1735 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1736 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1737 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000534" } ], "repeated": 0, "id": 1738 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1739 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1740 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 2, "id": 1741 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1742 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000534" } ], "repeated": 0, "id": 1743 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1744 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1745 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 2, "id": 1746 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1747 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b70f6", "parentcaller": "0x7ff6c28b6b0a", "category": "misc", "api": "GetComputerNameW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ComputerName", "value": "JOHNS-PC" } ], "repeated": 0, "id": 1748 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000534" } ], "repeated": 0, "id": 1749 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1750 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1751 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 1752 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1753 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1754 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1755 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1756 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1757 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1758 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1759 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1760 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000534" } ], "repeated": 0, "id": 1761 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1762 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 1763 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 2, "id": 1764 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1765 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\xmllite" }, { "name": "BaseAddress", "value": "0x7ffc711f0000" }, { "name": "InitRoutine", "value": "0x7ffc711ff5a0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1766 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1767 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e289e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1768 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1769 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1770 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1771 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1772 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "60", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1773 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "60", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2924e2ec050" } ], "repeated": 0, "id": 1774 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1004", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1775 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1004", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x2924e1f0b50" } ], "repeated": 0, "id": 1776 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "520", "caller": "0x7ff6c28d5dec", "parentcaller": "0x7ff6c28de0ed", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 1, "id": 1777 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "520", "caller": "0x7ff6c28d5dec", "parentcaller": "0x7ff6c28de0ed", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000534" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1778 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WindowsCodecs.dll" } ], "repeated": 0, "id": 1779 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "520", "caller": "0x7ff6c28d5dec", "parentcaller": "0x7ff6c28de0ed", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1780 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsCodecs.dll" } ], "repeated": 0, "id": 1781 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsCodecs.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1782 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000053c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000508" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsCodecs.dll" } ], "repeated": 0, "id": 1783 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2158", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38604" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1784 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2c0c0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2158" } ], "repeated": 0, "id": 1785 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000053c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc701e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x001b4000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1786 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2bc58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f08" } ], "repeated": 0, "id": 1787 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7038c000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1788 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70340000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1789 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70340000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1790 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70340000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1791 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70340000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1792 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70340000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1793 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1794 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1795 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 1796 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1797 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1798 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1799 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86580", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1800 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1801 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86a60", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1802 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "520", "caller": "0x7ff6c28d5dec", "parentcaller": "0x7ff6c28de0ed", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1803 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1804 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86940", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1805 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1806 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "520", "caller": "0x7ff6c28d5e6c", "parentcaller": "0x7ff6c28de0ed", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AccountPicture\\Users" }, { "name": "Handle", "value": "0x00000548" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AccountPicture\\Users" } ], "repeated": 0, "id": 1807 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "520", "caller": "0x7ff6c28d5e95", "parentcaller": "0x7ff6c28de0ed", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AccountPicture\\Users\\" }, { "name": "NotifyFilter", "value": "0x00000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1808 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2168", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38605" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1809 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2c540", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2168" } ], "repeated": 0, "id": 1810 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1f18", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#91" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1811 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2c0d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f18" } ], "repeated": 0, "id": 1812 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1813 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1814 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1815 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1816 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e873c0", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1817 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1818 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86fa0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1819 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1820 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86640", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1821 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1822 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2178", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38606" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1823 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2c9c0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2178" } ], "repeated": 0, "id": 1824 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1f28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#92" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1825 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2c558", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f28" } ], "repeated": 0, "id": 1826 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1827 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1828 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1829 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1830 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e867c0", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1831 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1832 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86520", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1833 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1834 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86880", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1835 }, { "timestamp": "2026-05-28 22:01:57,490", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1836 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2188", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38607" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1837 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2ce40", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2188" } ], "repeated": 0, "id": 1838 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1f38", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#93" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1839 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2c9d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f38" } ], "repeated": 0, "id": 1840 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1841 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1842 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1843 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1844 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86c40", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1845 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1846 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e873c0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1847 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1848 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e873c0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1849 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1850 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2198", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38608" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1851 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2d2c0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2198" } ], "repeated": 0, "id": 1852 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1f48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#94" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1853 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2ce58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f48" } ], "repeated": 0, "id": 1854 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1855 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1856 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1857 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1858 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e87000", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1859 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1860 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e85f80", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1861 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1862 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e867c0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1863 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1864 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef21a8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38609" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1865 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2d740", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef21a8" } ], "repeated": 0, "id": 1866 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1f58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#95" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1867 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2d2d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f58" } ], "repeated": 0, "id": 1868 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1869 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000508" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1870 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1871 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1872 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86640", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1873 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1874 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e863a0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1875 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1876 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86e20", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1877 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1878 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef21b8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#38610" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1879 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2dbc0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef21b8" } ], "repeated": 0, "id": 1880 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1f68", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#96" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1881 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2d758", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f68" } ], "repeated": 0, "id": 1882 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1883 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1884 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1885 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1886 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e85fe0", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1887 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1888 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e863a0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1889 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1890 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e861c0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1891 }, { "timestamp": "2026-05-28 22:01:57,506", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1892 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "\\xff\\xfe<\\x00?\\x00x\\x00m\\x00l\\x00 \\x00v\\x00e\\x00r\\x00s\\x00i\\x00o\\x00n\\x00=\\x00\"\\x001\\x00.\\x000\\x00\"\\x00 \\x00e\\x00n\\x00c\\x00o\\x00d\\x00i\\x00n\\x00g\\x00=\\x00\"\\x00U\\x00T\\x00F\\x00-\\x001\\x006\\x00\"\\x00?\\x00>\\x00\r\\x00\n\\x00<\\x00S\\x00t\\x00a\\x00r\\x00t\\x00u\\x00p\\x00D\\x00a\\x00t\\x00a\\x00 \\x00I\\x00n\\x00t\\x00e\\x00r\\x00v\\x00a\\x00l\\x00S\\x00t\\x00a\\x00r\\x00t\\x00M\\x00s\\x00=\\x00\"\\x003\\x009\\x003\\x008\\x00\"\\x00 \\x00I\\x00n\\x00t\\x00e\\x00r\\x00v\\x00a\\x00l\\x00E\\x00n\\x00d\\x00M\\x00s\\x00=\\x00\"\\x009\\x003\\x009\\x003\\x008\\x00\"\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00N\\x00a\\x00m\\x00e\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 1893 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1894 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1895 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 1896 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbcb", "parentcaller": "0x7ff6c297ad73", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1897 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbcb", "parentcaller": "0x7ff6c297ad73", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1898 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1899 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1900 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 1901 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2e040", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef21c8" } ], "repeated": 0, "id": 1902 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1f78", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#97" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 1903 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3dc4", "parentcaller": "0x7ff6c28b38f4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f2dbd8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1f78" } ], "repeated": 0, "id": 1904 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\Google\\Chrome\\Application\\PlatformExperienceHelper\\platform_experience_helper.exe" } ], "repeated": 0, "id": 1905 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000550" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 1906 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1907 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" } ], "repeated": 0, "id": 1908 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86b20", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1909 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1910 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86a60", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 1911 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1912 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e85f80", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FirstCreateTimeLow", "value": "0x6eac9751" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 1913 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3de8", "parentcaller": "0x7ff6c28b38f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000550" } ], "repeated": 0, "id": 1914 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1915 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1916 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1917 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1918 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00-\\x00h\\x00a\\x00n\\x00d\\x00l\\x00e\\x00r\\x00 \\x00-\\x00-\\x00d\\x00a\\x00t\\x00a\\x00b\\x00a\\x00s\\x00e\\x00=\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00T\\x00e\\x00m\\x00p\\x00\\\\x00C\\x00r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00 \\x00-\\x00-\\x00u\\x00r\\x00l\\x00=\\x00h\\x00t\\x00t\\x00p\\x00s\\x00:\\x00/\\x00/\\x00c\\x00l\\x00i\\x00e\\x00n\\x00t\\x00s\\x002\\x00.\\x00g\\x00o\\x00o\\x00g\\x00l\\x00e\\x00.\\x00c\\x00o\\x00m\\x00/\\x00c\\x00r\\x00/\\x00r\\x00e\\x00p\\x00o\\x00r\\x00t\\x00 \\x00-\\x00-\\x00a\\x00n\\x00n\\x00o\\x00t\\x00a\\x00t\\x00i\\x00o\\x00n\\x00=\\x00c\\x00h\\x00a\\x00n\\x00n\\x00e\\x00l\\x00=\\x00 \\x00-\\x00-\\x00a\\x00n\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 1919 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1920 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1921 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 1922 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\Google\\Chrome\\Application\\148.0.7778.217\\Installer\\chrmstp.exe" } ], "repeated": 2, "id": 1923 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1924 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1925 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1926 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1927 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3e23", "parentcaller": "0x7ff6c28b38f4", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 1928 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "t\\x00a\\x00r\\x00t\\x00e\\x00d\\x00I\\x00n\\x00T\\x00r\\x00a\\x00c\\x00e\\x00S\\x00e\\x00c\\x00=\\x00\"\\x004\\x00.\\x009\\x008\\x002\\x00\"\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x002\\x000\\x002\\x006\\x00/\\x000\\x005\\x00/\\x002\\x009\\x00:\\x000\\x000\\x00:\\x003\\x001\\x00:\\x002\\x005\\x00.\\x006\\x006\\x004\\x003\\x004\\x005\\x003\\x00<\\x00/\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00C\\x00o\\x00m\\x00m\\x00a\\x00n\\x00d\\x00L\\x00i\\x00n\\x00e\\x00>\\x00<\\x00!\\x00[\\x00C\\x00D\\x00A\\x00T\\x00A\\x00[\\x00\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00\\\\x00G\\x00o\\x00o\\x00g\\x00l\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 1929 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "608", "caller": "0x7ff6c28b3e23", "parentcaller": "0x7ff6c28b38f4", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86520", "arguments": [ { "name": "FileName", "value": "C:\\Windows" }, { "name": "FirstCreateTimeLow", "value": "0x3a6eea36" }, { "name": "FirstCreateTimeHigh", "value": "0x01ca0431" } ], "repeated": 0, "id": 1930 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" } ], "repeated": 0, "id": 1931 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\Google\\Chrome\\Application\\148.0.7778.217\\Installer\\chrmstp.exe" } ], "repeated": 0, "id": 1932 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1933 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1934 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1935 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1936 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "\n\\x00\t\\x00\t\\x00<\\x00C\\x00o\\x00m\\x00m\\x00a\\x00n\\x00d\\x00L\\x00i\\x00n\\x00e\\x00>\\x00<\\x00!\\x00[\\x00C\\x00D\\x00A\\x00T\\x00A\\x00[\\x00\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00r\\x00e\\x00n\\x00d\\x00e\\x00r\\x00e\\x00r\\x00 \\x00-\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00-\\x00c\\x00h\\x00r\\x00o\\x00m\\x00e\\x00-\\x00r\\x00u\\x00n\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 1937 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1938 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1939 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 1940 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 1941 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1942 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1943 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1944 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1945 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00c\\x00r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00-\\x00h\\x00a\\x00n\\x00d\\x00l\\x00e\\x00r\\x00 \\x00/\\x00p\\x00r\\x00e\\x00f\\x00e\\x00t\\x00c\\x00h\\x00:\\x004\\x00 \\x00-\\x00-\\x00m\\x00a\\x00x\\x00-\\x00u\\x00p\\x00l\\x00o\\x00a\\x00d\\x00s\\x00=\\x005\\x00 \\x00-\\x00-\\x00m\\x00a\\x00x\\x00-\\x00d\\x00b\\x00-\\x00s\\x00i\\x00z\\x00e\\x00=\\x002\\x000\\x00 \\x00-\\x00-\\x00m\\x00a\\x00x\\x00-\\x00d\\x00b\\x00-\\x00a\\x00g\\x00e\\x00=\\x005\\x00 \\x00-\\x00-\\x00m\\x00o\\x00n\\x00i\\x00t\\x00o\\x00r\\x00-\\x00s\\x00e\\x00l\\x00f\\x00-\\x00a\\x00n\\x00n\\x00o\\x00t\\x00a\\x00t\\x00i\\x00o\\x00n\\x00=\\x00p\\x00t\\x00y\\x00p\\x00e\\x00=\\x00c\\x00r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00-\\x00h\\x00a\\x00n\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 1946 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1947 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1948 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 1949 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 1950 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1951 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1952 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1953 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 1954 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "r\\x00e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x002\\x000\\x002\\x006\\x00/\\x000\\x005\\x00/\\x002\\x009\\x00:\\x000\\x000\\x00:\\x003\\x001\\x00:\\x003\\x009\\x00.\\x000\\x008\\x008\\x009\\x005\\x000\\x001\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00>\\x00\r\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 1955 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1956 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1957 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 1958 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000508" } ], "repeated": 0, "id": 1959 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1960 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\xc2\\xff\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1961 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000540" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 1962 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000540" }, { "name": "SubKey", "value": "{905E63B6-C1BF-494E-B29C-65B732D3D21A}" }, { "name": "Handle", "value": "0x0000053c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905E63B6-C1BF-494E-B29C-65B732D3D21A}" } ], "repeated": 0, "id": 1963 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 1964 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category" } ], "repeated": 0, "id": 1965 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "ProgramFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name" } ], "repeated": 0, "id": 1966 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder" } ], "repeated": 0, "id": 1967 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description" } ], "repeated": 0, "id": 1968 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath" } ], "repeated": 0, "id": 1969 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName" } ], "repeated": 0, "id": 1970 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip" } ], "repeated": 0, "id": 1971 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21781" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName" } ], "repeated": 0, "id": 1972 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon" } ], "repeated": 0, "id": 1973 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security" } ], "repeated": 0, "id": 1974 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource" } ], "repeated": 0, "id": 1975 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType" } ], "repeated": 0, "id": 1976 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly" } ], "repeated": 0, "id": 1977 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable" } ], "repeated": 0, "id": 1978 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate" } ], "repeated": 0, "id": 1979 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream" } ], "repeated": 0, "id": 1980 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath" } ], "repeated": 0, "id": 1981 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags" } ], "repeated": 0, "id": 1982 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes" } ], "repeated": 0, "id": 1983 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID" } ], "repeated": 0, "id": 1984 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler" } ], "repeated": 0, "id": 1985 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000053c" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000540" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PropertyBag" } ], "repeated": 0, "id": 1986 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 1987 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion" }, { "name": "Handle", "value": "0x0000053c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion" } ], "repeated": 0, "id": 1988 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "ProgramFilesDir" }, { "name": "Data", "value": "C:\\Program Files" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir" } ], "repeated": 0, "id": 1989 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 1990 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000508" } ], "repeated": 0, "id": 1991 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files" } ], "repeated": 0, "id": 1992 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1993 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1994 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" } ], "repeated": 0, "id": 1995 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1996 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1997 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings" } ], "repeated": 0, "id": 1998 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1999 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 2000 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 2001 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2002 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2003 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2004 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2005 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "e\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00N\\x00a\\x00m\\x00e\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00P\\x00I\\x00D\\x00=\\x00\"\\x006\\x006\\x005\\x002\\x00\"\\x00 \\x00S\\x00t\\x00a\\x00r\\x00t\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2006 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2007 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2008 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2009 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 2010 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2011 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2012 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2013 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2014 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00B\\x00C\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00B\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00E\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00I\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00g\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00 \\x00-\\x00-\\x00f\\x00i\\x00e\\x00l\\x00d\\x00-\\x00t\\x00r\\x00i\\x00a\\x00l\\x00-\\x00h\\x00a\\x00n\\x00d\\x00l\\x00e\\x00=\\x001\\x009\\x001\\x002\\x00,\\x00i\\x00,\\x001\\x000\\x003\\x001\\x002\\x001\\x004\\x007\\x005\\x005\\x002\\x009\\x006\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2015 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2016 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2017 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2018 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 2019 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2020 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 2021 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2022 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2023 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2024 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2025 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "4\\x00 \\x00-\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00-\\x00f\\x00e\\x00a\\x00t\\x00u\\x00r\\x00e\\x00s\\x00=\\x00P\\x00l\\x00a\\x00t\\x00f\\x00o\\x00r\\x00m\\x00H\\x00E\\x00V\\x00C\\x00D\\x00e\\x00c\\x00o\\x00d\\x00e\\x00r\\x00S\\x00u\\x00p\\x00p\\x00o\\x00r\\x00t\\x00 \\x00-\\x00-\\x00d\\x00i\\x00s\\x00a\\x00b\\x00l\\x00e\\x00-\\x00f\\x00e\\x00a\\x00t\\x00u\\x00r\\x00e\\x00s\\x00=\\x00B\\x00l\\x00o\\x00c\\x00k\\x00P\\x00r\\x00o\\x00m\\x00p\\x00t\\x00s\\x00I\\x00f\\x00I\\x00g\\x00]\\x00]\\x00>\\x00<\\x00/\\x00C\\x00o\\x00m\\x00m\\x00a\\x00n\\x00d\\x00L\\x00i\\x00n\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00D\\x00i\\x00s\\x00k\\x00U\\x00s\\x00a\\x00g\\x00e\\x00 \\x00U\\x00n\\x00i\\x00t\\x00s\\x00=\\x00\"\\x00b\\x00y\\x00t\\x00e\\x00s\\x00\"\\x00>\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2026 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2027 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2028 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297adf1", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2029 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 2030 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2031 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2032 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2033 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2034 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "\t\\x00<\\x00D\\x00i\\x00s\\x00k\\x00U\\x00s\\x00a\\x00g\\x00e\\x00 \\x00U\\x00n\\x00i\\x00t\\x00s\\x00=\\x00\"\\x00b\\x00y\\x00t\\x00e\\x00s\\x00\"\\x00>\\x007\\x008\\x003\\x003\\x006\\x00<\\x00/\\x00D\\x00i\\x00s\\x00k\\x00U\\x00s\\x00a\\x00g\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00C\\x00p\\x00u\\x00U\\x00s\\x00a\\x00g\\x00e\\x00 \\x00U\\x00n\\x00i\\x00t\\x00s\\x00=\\x00\"\\x00u\\x00s\\x00\"\\x00>\\x001\\x004\\x006\\x005\\x000\\x001\\x00<\\x00/\\x00C\\x00p\\x00u\\x00U\\x00s\\x00a\\x00g\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x007\\x000\\x006\\x000\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2035 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2036 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2037 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2038 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 2039 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2040 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2041 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2042 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2043 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "m\\x00a\\x00n\\x00d\\x00L\\x00i\\x00n\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00D\\x00i\\x00s\\x00k\\x00U\\x00s\\x00a\\x00g\\x00e\\x00 \\x00U\\x00n\\x00i\\x00t\\x00s\\x00=\\x00\"\\x00b\\x00y\\x00t\\x00e\\x00s\\x00\"\\x00>\\x008\\x007\\x000\\x004\\x00<\\x00/\\x00D\\x00i\\x00s\\x00k\\x00U\\x00s\\x00a\\x00g\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00C\\x00p\\x00u\\x00U\\x00s\\x00a\\x00g\\x00e\\x00 \\x00U\\x00n\\x00i\\x00t\\x00s\\x00=\\x00\"\\x00u\\x00s\\x00\"\\x00>\\x009\\x004\\x000\\x004\\x00<\\x00/\\x00C\\x00p\\x00u\\x00U\\x00s\\x00a\\x00g\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x004\\x001\\x008\\x004\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x00\r\\x00\n\\x00\t\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2044 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2045 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2046 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2047 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" } ], "repeated": 0, "id": 2048 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2049 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2050 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2051 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2052 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "i\\x00m\\x00e\\x00>\\x002\\x000\\x002\\x006\\x00/\\x000\\x005\\x00/\\x002\\x009\\x00:\\x000\\x000\\x00:\\x003\\x001\\x00:\\x002\\x005\\x00.\\x001\\x009\\x001\\x001\\x000\\x002\\x008\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00e\\x00x\\x00p\\x00l\\x00o\\x00r\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00N\\x00a\\x00m\\x00e\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2053 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2054 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2055 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2056 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 2057 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 0, "id": 2058 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 2059 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2060 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2061 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2062 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2063 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x002\\x000\\x002\\x006\\x00/\\x000\\x005\\x00/\\x002\\x009\\x00:\\x000\\x000\\x00:\\x003\\x001\\x00:\\x003\\x009\\x00.\\x000\\x008\\x008\\x009\\x005\\x000\\x001\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00>\\x00\r\\x00\n\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2064 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2065 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2066 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297acae", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2067 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 2068 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2069 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2070 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2071 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2072 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "\n\\x00\t\\x00<\\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00N\\x00a\\x00m\\x00e\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00P\\x00I\\x00D\\x00=\\x00\"\\x006\\x008\\x004\\x004\\x00\"\\x00 \\x00S\\x00t\\x00a\\x00r\\x00t\\x00e\\x00d\\x00I\\x00n\\x00T\\x00r\\x00a\\x00c\\x00e\\x00S\\x00e\\x00c\\x00=\\x00\"\\x002\\x000\\x00.\\x007\\x005\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2073 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2074 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2075 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2076 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2077 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 2078 }, { "timestamp": "2026-05-28 22:01:57,521", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2079 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "5448", "caller": "0x7ff6c28b6c27", "parentcaller": "0x7ff6c28b6b3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\profapi" }, { "name": "DllBase", "value": "0x7ffc755e0000" } ], "repeated": 0, "id": 2080 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2081 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2082 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2083 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000055a" }, { "name": "SubKey", "value": "InProcServer32" }, { "name": "Handle", "value": "0x0000055e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InProcServer32" } ], "repeated": 0, "id": 2084 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 2085 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2086 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2087 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2088 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\WindowsCodecsRaw.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 2089 }, { "timestamp": "2026-05-28 22:01:57,537", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 2090 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Pattern" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Pattern" } ], "repeated": 0, "id": 2091 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2092 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c290c848", "parentcaller": "0x7ff6c290bc08", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f03000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2093 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2094 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2095 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2096 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2097 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2098 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2099 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2100 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000055e" }, { "name": "SubKey", "value": "8" }, { "name": "Handle", "value": "0x0000057a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8" } ], "repeated": 0, "id": 2101 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 2102 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Pattern" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Pattern" } ], "repeated": 0, "id": 2103 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2104 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2105 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2106 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2107 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2108 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "Index", "value": "12" }, { "name": "Name", "value": "9" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9" } ], "repeated": 0, "id": 2109 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00>\\x00\r\\x00\n\\x00\t\\x00<\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00N\\x00a\\x00m\\x00e\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00c\\x00o\\x00n\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00P\\x00I\\x00D\\x00=\\x00\"\\x003\\x005\\x004\\x008\\x00\"\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2110 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2111 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2112 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2113 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "0" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0" } ], "repeated": 0, "id": 2114 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 2115 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Position" } ], "repeated": 0, "id": 2116 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2117 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "EndOfStream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\EndOfStream" } ], "repeated": 0, "id": 2118 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "=\\x00c\\x00o\\x00m\\x00.\\x00s\\x00q\\x00u\\x00i\\x00r\\x00r\\x00e\\x00l\\x00.\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00 \\x00-\\x00-\\x00a\\x00p\\x00p\\x00-\\x00p\\x00a\\x00t\\x00h\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00r\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00s\\x00\\\\x00a\\x00p\\x00p\\x00.\\x00a\\x00s\\x00a\\x00r\\x00\"\\x00 \\x00-\\x00-\\x00n\\x00o\\x00-\\x00s\\x00a\\x00n\\x00d\\x00b\\x00o\\x00x\\x00 \\x00-\\x00-\\x00n\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2119 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "Data", "value": "\\xff\\xff\\xff\\xff" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Mask" } ], "repeated": 0, "id": 2120 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2121 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2122 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2123 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2124 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297ad56", "parentcaller": "0x7ff6c297a87e", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2125 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 2126 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Position" } ], "repeated": 0, "id": 2127 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c297ad73", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 2128 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Mask" } ], "repeated": 0, "id": 2129 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2130 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2131 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2132 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "Data", "value": "\\xff\\xff\\xff\\xff" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Mask" } ], "repeated": 0, "id": 2133 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2134 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2135 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004a4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" }, { "name": "Buffer", "value": "/\\x00C\\x00p\\x00u\\x00U\\x00s\\x00a\\x00g\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x004\\x002\\x004\\x008\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00P\\x00I\\x00D\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x002\\x000\\x002\\x006\\x00/\\x000\\x005\\x00/\\x002\\x009\\x00:\\x000\\x000\\x00:\\x003\\x001\\x00:\\x002\\x005\\x00.\\x001\\x009\\x001\\x001\\x000\\x002\\x008\\x00<\\x00/\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00S\\x00t\\x00a\\x00r\\x00t\\x00T\\x00i\\x00m\\x00e\\x00>\\x00\r\\x00\n\\x00\t\\x00\t\\x00<\\x00P\\x00a\\x00r\\x00e\\x00n\\x00t\\x00N\\x00a\\x00m\\x00e\\x00>\\x00e\\x00x\\x00p\\x00l\\x00o\\x00" }, { "name": "Length", "value": "592" } ], "repeated": 0, "id": 2136 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2137 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2138 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2139 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Position" } ], "repeated": 0, "id": 2140 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2141 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "EndOfStream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\EndOfStream" } ], "repeated": 0, "id": 2142 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2143 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2144 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2145 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2146 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2147 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a793", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 1, "id": 2148 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Pattern" }, { "name": "Data", "value": "MMMMRaw\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Pattern" } ], "repeated": 0, "id": 2149 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a999", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2150 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a999", "parentcaller": "0x7ff6c297b1f4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a4" } ], "repeated": 0, "id": 2151 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c297a999", "parentcaller": "0x7ff6c297b1f4", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2152 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Mask" } ], "repeated": 0, "id": 2153 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4d8", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2154 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "Data", "value": "\\xff\\xff\\xff\\xff\\x00\\xff\\xff\\xff" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Mask" } ], "repeated": 0, "id": 2155 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2156 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4f3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000498" }, { "name": "SubKey", "value": "Run" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "Handle", "value": "0x000004a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2157 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b501", "parentcaller": "0x7ff6c296e4df", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2158 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "11" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\11" } ], "repeated": 0, "id": 2159 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4f3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000498" }, { "name": "SubKey", "value": "Run32" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "Handle", "value": "0x00000570" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run32" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2160 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b501", "parentcaller": "0x7ff6c296e4df", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2161 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000055e" }, { "name": "SubKey", "value": "11" }, { "name": "Handle", "value": "0x0000057a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\11" } ], "repeated": 0, "id": 2162 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4f3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000498" }, { "name": "SubKey", "value": "Run" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "Handle", "value": "0x0000057c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2163 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b501", "parentcaller": "0x7ff6c296e4df", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2164 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\11\\Position" } ], "repeated": 0, "id": 2165 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4d8", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 2166 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4d8", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2167 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4d8", "category": "registry", "api": "NtCreateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" }, { "name": "Class", "value": "" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2168 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4f3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000498" }, { "name": "SubKey", "value": "StartupFolder" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "Handle", "value": "0x00000580" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\StartupFolder" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2169 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b501", "parentcaller": "0x7ff6c296e4df", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2170 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000055e" }, { "name": "SubKey", "value": "12" }, { "name": "Handle", "value": "0x0000057a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12" } ], "repeated": 0, "id": 2171 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4d8", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2172 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000057a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2173 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000057a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2174 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296f119", "parentcaller": "0x7ff6c296b4f3", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000498" }, { "name": "SubKey", "value": "StartupFolder" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000103", "pretty_value": "KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_WOW64_64KEY" }, { "name": "Handle", "value": "0x00000584" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\StartupFolder" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2175 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12" } ], "repeated": 0, "id": 2176 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b501", "parentcaller": "0x7ff6c296e4df", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2177 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 2178 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Position" } ], "repeated": 0, "id": 2179 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2180 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\xbc\\xff\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2181 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "EndOfStream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\EndOfStream" } ], "repeated": 0, "id": 2182 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2183 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Pattern" }, { "name": "Data", "value": "IIU\\x00\\x18\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Pattern" } ], "repeated": 0, "id": 2184 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Mask" } ], "repeated": 0, "id": 2185 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category" } ], "repeated": 0, "id": 2186 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Startup" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name" } ], "repeated": 0, "id": 2187 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2188 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Data", "value": "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder" } ], "repeated": 0, "id": 2189 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description" } ], "repeated": 0, "id": 2190 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Data", "value": "StartUp" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath" } ], "repeated": 0, "id": 2191 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName" } ], "repeated": 0, "id": 2192 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip" } ], "repeated": 0, "id": 2193 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Position" } ], "repeated": 0, "id": 2194 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21787" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName" } ], "repeated": 0, "id": 2195 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "EndOfStream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\EndOfStream" } ], "repeated": 0, "id": 2196 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource" } ], "repeated": 0, "id": 2197 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType" } ], "repeated": 0, "id": 2198 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2199 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable" } ], "repeated": 0, "id": 2200 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "Data", "value": "\\xff\\xff\\xff\\xff" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Mask" } ], "repeated": 0, "id": 2201 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate" } ], "repeated": 0, "id": 2202 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2203 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream" } ], "repeated": 0, "id": 2204 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath" } ], "repeated": 0, "id": 2205 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags" } ], "repeated": 0, "id": 2206 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes" } ], "repeated": 0, "id": 2207 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID" } ], "repeated": 0, "id": 2208 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler" } ], "repeated": 0, "id": 2209 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PropertyBag" } ], "repeated": 0, "id": 2210 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\3\\Mask" } ], "repeated": 0, "id": 2211 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Handle", "value": "0x0000058c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 2212 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "Data", "value": "\\xff\\xff\\xff\\xff" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\3\\Mask" } ], "repeated": 0, "id": 2213 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "SessionInfo\\1" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1" } ], "repeated": 0, "id": 2214 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "Index", "value": "7" }, { "name": "Name", "value": "4" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4" } ], "repeated": 0, "id": 2215 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000588" }, { "name": "SubKey", "value": "KnownFolders" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders" } ], "repeated": 0, "id": 2216 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 2217 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x88\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2218 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 2219 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000588" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "Handle", "value": "0x00000590" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 2220 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Position" } ], "repeated": 0, "id": 2221 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 2222 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x00000590" }, { "name": "ValueName", "value": "Startup" }, { "name": "Type", "value": "0x00000002", "pretty_value": "REG_EXPAND_SZ" }, { "name": "DataLength", "value": "152" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup" } ], "repeated": 0, "id": 2223 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" }, { "name": "ValueName", "value": "Startup" }, { "name": "Data", "value": "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup" } ], "repeated": 0, "id": 2224 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2225 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Mask" } ], "repeated": 0, "id": 2226 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" } ], "repeated": 0, "id": 2227 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ffc73836e6d", "parentcaller": "0x7ffc73836662", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2228 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296ba63", "parentcaller": "0x7ff6c296e5f8", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e86580", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.*" }, { "name": "FirstCreateTimeLow", "value": "0xaff228df" }, { "name": "FirstCreateTimeHigh", "value": "0x01dceeb6" } ], "repeated": 0, "id": 2229 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000590" } ], "repeated": 0, "id": 2230 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2231 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\xbc\\xff\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2232 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "Data", "value": "\\xff\\xff\\xff\\xff" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\5\\Mask" } ], "repeated": 0, "id": 2233 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2234 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2235 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "Index", "value": "9" }, { "name": "Name", "value": "6" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6" } ], "repeated": 0, "id": 2236 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000498" }, { "name": "SubKey", "value": "{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}" } ], "repeated": 0, "id": 2237 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2238 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000055e" }, { "name": "SubKey", "value": "6" }, { "name": "Handle", "value": "0x0000057a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6" } ], "repeated": 0, "id": 2239 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Common Startup" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name" } ], "repeated": 0, "id": 2240 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\Position" } ], "repeated": 0, "id": 2241 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Data", "value": "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder" } ], "repeated": 0, "id": 2242 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "EndOfStream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\EndOfStream" } ], "repeated": 0, "id": 2243 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Data", "value": "StartUp" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath" } ], "repeated": 0, "id": 2244 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName" } ], "repeated": 0, "id": 2245 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip" } ], "repeated": 0, "id": 2246 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21787" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName" } ], "repeated": 0, "id": 2247 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon" } ], "repeated": 0, "id": 2248 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2249 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security" } ], "repeated": 0, "id": 2250 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "Index", "value": "10" }, { "name": "Name", "value": "7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7" } ], "repeated": 0, "id": 2251 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable" } ], "repeated": 0, "id": 2252 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000055e" }, { "name": "SubKey", "value": "7" }, { "name": "Handle", "value": "0x0000057a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7" } ], "repeated": 0, "id": 2253 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream" } ], "repeated": 0, "id": 2254 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath" } ], "repeated": 0, "id": 2255 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc7383882d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags" } ], "repeated": 0, "id": 2256 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes" } ], "repeated": 0, "id": 2257 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Pattern" }, { "name": "Data", "value": "FUJIFILM" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Pattern" } ], "repeated": 0, "id": 2258 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID" } ], "repeated": 0, "id": 2259 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Mask" } ], "repeated": 0, "id": 2260 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 2261 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "SessionInfo\\1" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1" } ], "repeated": 0, "id": 2262 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000588" }, { "name": "SubKey", "value": "KnownFolders" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders" } ], "repeated": 0, "id": 2263 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 2264 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 2265 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000055e" }, { "name": "SubKey", "value": "8" }, { "name": "Handle", "value": "0x0000057a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8" } ], "repeated": 0, "id": 2266 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Common Startup" }, { "name": "Data", "value": "%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup" } ], "repeated": 0, "id": 2267 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" } ], "repeated": 0, "id": 2268 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 2269 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Position" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Position" } ], "repeated": 0, "id": 2270 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" } ], "repeated": 0, "id": 2271 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2272 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296ba63", "parentcaller": "0x7ff6c296e5f8", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29253e85fe0", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*.*" }, { "name": "FirstCreateTimeLow", "value": "0xc867053b" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acde" } ], "repeated": 0, "id": 2273 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296bd3f", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 2274 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c28ef6b6", "parentcaller": "0x7ff6c296c3aa", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 2275 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c28ef6b6", "parentcaller": "0x7ff6c296c3aa", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 2276 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296c455", "parentcaller": "0x7ff6c296e63c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 2277 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c296c0df", "parentcaller": "0x7ff6c296c48a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "2" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 2278 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "SecurityHealth" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth" } ], "repeated": 0, "id": 2279 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "SecurityHealth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth" } ], "repeated": 0, "id": 2280 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "SecurityHealth" }, { "name": "Data", "value": "%windir%\\system32\\SecurityHealthSystray.exe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth" } ], "repeated": 0, "id": 2281 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Pattern" }, { "name": "Data", "value": "IIII\\x00waR" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Pattern" } ], "repeated": 0, "id": 2282 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2283 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Mask" } ], "repeated": 0, "id": 2284 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" }, { "name": "ValueName", "value": "Mask" }, { "name": "Data", "value": "\\xff\\xff\\xff\\xff\\x00\\xff\\xff\\xff" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Mask" } ], "repeated": 0, "id": 2285 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 2286 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057a" } ], "repeated": 0, "id": 2287 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000055e" }, { "name": "Index", "value": "13" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\" } ], "repeated": 0, "id": 2288 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055e" } ], "repeated": 0, "id": 2289 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000055a" } ], "repeated": 0, "id": 2290 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000556" } ], "repeated": 0, "id": 2291 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x0000053e" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance\\" } ], "repeated": 0, "id": 2292 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053e" } ], "repeated": 0, "id": 2293 }, { "timestamp": "2026-05-28 22:01:57,553", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2294 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 2295 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2296 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 2297 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f40000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 2298 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 2299 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 2300 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2301 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 2302 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2303 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 2304 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f40000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 2305 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 1, "id": 2306 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 2307 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 2308 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2309 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 2310 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2311 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 2312 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f40000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 2313 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 2314 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 2315 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "608", "caller": "0x7ff6c28b3932", "parentcaller": "0x7ff6c28de0ed", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2316 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2317 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 2318 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2319 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 2320 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f40000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 2321 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2322 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2323 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2324 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2325 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "Handle", "value": "0x00000554" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 2326 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000554" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000558" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" } ], "repeated": 0, "id": 2327 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2328 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2329 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000558" }, { "name": "ValueName", "value": "Max Cached Icons" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Max Cached Icons" } ], "repeated": 0, "id": 2330 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000558" } ], "repeated": 0, "id": 2331 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2332 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2333 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2334 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2335 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000578" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 2336 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000578" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 2337 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000578" } ], "repeated": 0, "id": 2338 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000578" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\shell32.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2339 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000578" } ], "repeated": 0, "id": 2340 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 2341 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 2342 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 2343 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 2344 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "ImageList_CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e7d910" } ], "repeated": 0, "id": 2345 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2346 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2347 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2348 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6204a000" }, { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2349 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b6c27", "parentcaller": "0x7ff6c28b6b3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.UI.Immersive" }, { "name": "DllBase", "value": "0x7ffc69be0000" } ], "repeated": 0, "id": 2350 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 2351 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005a0" } ], "repeated": 0, "id": 2352 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2353 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0\\xc4\\xff\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2354 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x000005a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2355 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005a4" }, { "name": "SubKey", "value": "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" }, { "name": "Handle", "value": "0x000005a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" } ], "repeated": 0, "id": 2356 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 2357 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b6c27", "parentcaller": "0x7ff6c28b6b3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.UI.Immersive.dll" }, { "name": "BaseAddress", "value": "0x7ffc69be0000" } ], "repeated": 0, "id": 2358 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\oleacc.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2359 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b6c27", "parentcaller": "0x7ff6c28b6b3b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "09C5DD34-009D-40FA-BCB9-0165AD0C15D4" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "FB69BC98-66A0-47BA-8B1D-F79B9E842BBC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2360 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b6c6b", "parentcaller": "0x7ff6c28b6b3b", "category": "misc", "api": "GetComputerNameW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ComputerName", "value": "JOHNS-PC" } ], "repeated": 0, "id": 2361 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e177d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2362 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e177d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2363 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005a4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\oleacc.dll" } ], "repeated": 0, "id": 2364 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00066000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2365 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9fd000" }, { "name": "ModuleName", "value": "OLEACC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2366 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 2367 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9ea000" }, { "name": "ModuleName", "value": "OLEACC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2368 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 2369 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9ea000" }, { "name": "ModuleName", "value": "OLEACC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2370 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9ea000" }, { "name": "ModuleName", "value": "OLEACC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2371 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "EventName", "value": "Global\\TermSrvReadyEvent" } ], "repeated": 0, "id": 2372 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9ea000" }, { "name": "ModuleName", "value": "OLEACC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2373 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2374 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2375 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9e9000" }, { "name": "ModuleName", "value": "OLEACC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2376 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2377 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b747a", "parentcaller": "0x7ff6c28b6ac3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2378 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2379 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 2380 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f9e9000" }, { "name": "ModuleName", "value": "OLEACC.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2381 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\OLEACC" }, { "name": "DllBase", "value": "0x7ffc5f9a0000" } ], "repeated": 0, "id": 2382 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254150000" }, { "name": "RegionSize", "value": "0x00200000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2383 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254150000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2384 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 2385 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 2386 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2387 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category" } ], "repeated": 0, "id": 2388 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b9c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2389 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000052c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2390 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Local AppData" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name" } ], "repeated": 0, "id": 2391 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder" } ], "repeated": 0, "id": 2392 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2393 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description" } ], "repeated": 0, "id": 2394 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 2395 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Data", "value": "AppData\\Local" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath" } ], "repeated": 0, "id": 2396 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2397 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ffc770ebf07", "parentcaller": "0x7ffc770ebe66", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2398 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName" } ], "repeated": 0, "id": 2399 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2400 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip" } ], "repeated": 0, "id": 2401 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName" } ], "repeated": 0, "id": 2402 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2403 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security" } ], "repeated": 0, "id": 2404 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 2405 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource" } ], "repeated": 0, "id": 2406 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b737a", "parentcaller": "0x7ff6c28b6adb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 2407 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc738386fb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType" } ], "repeated": 0, "id": 2408 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 2409 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2410 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 2411 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable" } ], "repeated": 0, "id": 2412 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate" } ], "repeated": 0, "id": 2413 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2414 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream" } ], "repeated": 0, "id": 2415 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2416 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 2417 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath" } ], "repeated": 0, "id": 2418 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2419 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 2420 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags" } ], "repeated": 0, "id": 2421 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2422 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes" } ], "repeated": 0, "id": 2423 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b72a3", "parentcaller": "0x7ff6c28b6af5", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000498" } ], "repeated": 0, "id": 2424 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID" } ], "repeated": 0, "id": 2425 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28b70f6", "parentcaller": "0x7ff6c28b6b0a", "category": "misc", "api": "GetComputerNameW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ComputerName", "value": "JOHNS-PC" } ], "repeated": 0, "id": 2426 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler" } ], "repeated": 0, "id": 2427 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2428 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005a8" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PropertyBag" } ], "repeated": 0, "id": 2429 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 2430 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "SessionInfo\\1" }, { "name": "Handle", "value": "0x000005a8" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1" } ], "repeated": 0, "id": 2431 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005a8" }, { "name": "SubKey", "value": "KnownFolders" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders" } ], "repeated": 0, "id": 2432 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 2433 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xc0\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\xa8\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2434 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 2435 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005a8" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "Handle", "value": "0x000005b0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 2436 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 2437 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "ValueName", "value": "Local AppData" }, { "name": "Data", "value": "%USERPROFILE%\\AppData\\Local" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData" } ], "repeated": 0, "id": 2438 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 2439 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2440 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 2441 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 2442 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 2443 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2444 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\xc0\\xff\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2445 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x000005a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 2446 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005a0" }, { "name": "SubKey", "value": "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" }, { "name": "Handle", "value": "0x000005a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}" } ], "repeated": 0, "id": 2447 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a0" } ], "repeated": 0, "id": 2448 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category" } ], "repeated": 0, "id": 2449 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Profile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name" } ], "repeated": 0, "id": 2450 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder" } ], "repeated": 0, "id": 2451 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description" } ], "repeated": 0, "id": 2452 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath" } ], "repeated": 0, "id": 2453 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName" } ], "repeated": 0, "id": 2454 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip" } ], "repeated": 0, "id": 2455 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName" } ], "repeated": 0, "id": 2456 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon" } ], "repeated": 0, "id": 2457 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security" } ], "repeated": 0, "id": 2458 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource" } ], "repeated": 0, "id": 2459 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType" } ], "repeated": 0, "id": 2460 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly" } ], "repeated": 0, "id": 2461 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable" } ], "repeated": 0, "id": 2462 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate" } ], "repeated": 0, "id": 2463 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream" } ], "repeated": 0, "id": 2464 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath" } ], "repeated": 0, "id": 2465 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags" } ], "repeated": 0, "id": 2466 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes" } ], "repeated": 0, "id": 2467 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID" } ], "repeated": 0, "id": 2468 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler" } ], "repeated": 0, "id": 2469 }, { "timestamp": "2026-05-28 22:01:57,568", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005a8" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag" } ], "repeated": 0, "id": 2470 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 2471 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005a8" } ], "repeated": 0, "id": 2472 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\x05\\xeeS\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2473 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2474 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2475 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2476 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2477 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "advapi32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" } ], "repeated": 0, "id": 2478 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventWrite" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7801f1b0" } ], "repeated": 0, "id": 2479 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventRegister" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012e80" } ], "repeated": 0, "id": 2480 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventUnregister" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78020390" } ], "repeated": 0, "id": 2481 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000005a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 2482 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath" } ], "repeated": 0, "id": 2483 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60389000" }, { "name": "ModuleName", "value": "DUI70.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2484 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "USER32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 2485 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Data", "value": "C:\\Users\\admin" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath" } ], "repeated": 0, "id": 2486 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-memory-l1-1-2.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 2487 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "NTDLL.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 2488 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 2489 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetGUIThreadInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d4010" } ], "repeated": 0, "id": 2490 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 2491 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetAccCursorInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 2492 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2493 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetCursorInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d3f90" } ], "repeated": 0, "id": 2494 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetWindowInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762b05c0" } ], "repeated": 0, "id": 2495 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetTitleBarInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d42d0" } ], "repeated": 0, "id": 2496 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2497 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetScrollBarInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d4290" } ], "repeated": 0, "id": 2498 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetComboBoxInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d3f60" } ], "repeated": 0, "id": 2499 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2500 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetAncestor" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d3ef0" } ], "repeated": 0, "id": 2501 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "RealChildWindowFromPoint" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d48d0" } ], "repeated": 0, "id": 2502 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "RealGetWindowClassW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762c3e60" } ], "repeated": 0, "id": 2503 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetAltTabInfoW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76329ee0" } ], "repeated": 0, "id": 2504 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 2505 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "PhysicalToLogicalPointForPerMonitorDPI" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d4700" } ], "repeated": 0, "id": 2506 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetModuleFileNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75710cd0" } ], "repeated": 0, "id": 2507 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryInformationProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806d2f0" } ], "repeated": 0, "id": 2508 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "OLEAUT32.DLL" }, { "name": "BaseAddress", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 2509 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77330000", "arguments": [ { "name": "lpLibFileName", "value": "OLEAUT32.DLL" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 2510 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "ListBox" }, { "name": "Atom", "value": "0x0000c026" } ], "repeated": 0, "id": 2511 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "#32768" }, { "name": "Atom", "value": "0x00008000" } ], "repeated": 0, "id": 2512 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "Button" }, { "name": "Atom", "value": "0x0000c027" } ], "repeated": 0, "id": 2513 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "Static" }, { "name": "Atom", "value": "0x0000c028" } ], "repeated": 0, "id": 2514 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "Edit" }, { "name": "Atom", "value": "0x0000c029" } ], "repeated": 0, "id": 2515 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 2516 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "msctls_progress32" }, { "name": "Atom", "value": "0x0000c02f" } ], "repeated": 0, "id": 2517 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2518 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "SysAnimate32" }, { "name": "Atom", "value": "0x0000c030" } ], "repeated": 0, "id": 2519 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 2520 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 2521 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2522 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "RichEdit20A" }, { "name": "Atom", "value": "0x0000c03f" } ], "repeated": 0, "id": 2523 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "RichEdit20W" }, { "name": "Atom", "value": "0x0000c040" } ], "repeated": 0, "id": 2524 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2525 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "SysIPAddress32" }, { "name": "Atom", "value": "0x0000c041" } ], "repeated": 0, "id": 2526 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2527 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 2528 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32" }, { "name": "Handle", "value": "0x000005ba" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2529 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ba" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{03022430-ABC4-11D0-BDE2-00AA001A1953}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2530 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ba" } ], "repeated": 0, "id": 2531 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\IconCache.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2532 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b9d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2533 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2534 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2535 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2536 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005b8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\OLEACCRC.DLL.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2537 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\IconCache.db" }, { "name": "Buffer", "value": "H\\x00\\x00\\x00Win4\\x06\\x05\\x00\\x00Z)\\x00\\x00 \\x00\\x00\\x00 \\x00\\x00\\x00 \\x00\\x00\\x00 \\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x00\\x000\\x00\\x00\\x000\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x0c\\x00\\x00\\x00\\x0c\\x00\\x00\\x00s\\x00\\x00\\x00\\x81\\x00 \\x00c\\x00:\\x00\\\\x00w\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\xfe\\xff\\xff\\xff\\x81\\x00 \\x00c\\x00:\\x00\\\\x00w\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\xa6\\xff\\xff\\xff\\x81\\x00 \\x00c\\x00:\\x00\\\\x00w\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 2538 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254360000" }, { "name": "SectionOffset", "value": "0xf09d76df30" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2539 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2540 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2541 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2542 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ef8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2407" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2543 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2544 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd0d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ef8" } ], "repeated": 0, "id": 2545 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2546 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2547 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2548 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2549 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2550 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2551 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2552 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2553 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254152000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2554 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2555 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2556 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2557 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2558 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2559 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1bb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2092" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2560 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2561 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b8c6c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1bb8" } ], "repeated": 0, "id": 2562 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2563 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2564 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2565 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2566 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1bb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2092" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2567 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2568 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2569 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2570 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b8c6c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1bb8" } ], "repeated": 0, "id": 2571 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2572 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2573 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2574 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2575 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2576 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b8c6c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1bb8" } ], "repeated": 0, "id": 2577 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2578 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2579 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2580 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2581 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1bb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2092" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2582 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b8c6c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1bb8" } ], "repeated": 0, "id": 2583 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2584 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2585 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2586 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2587 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2588 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1bb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2092" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2589 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2590 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b8c6c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1bb8" } ], "repeated": 0, "id": 2591 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2592 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254155000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2593 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2594 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2595 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2596 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2597 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2598 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1bb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2092" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2599 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2600 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b8c6c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1bb8" } ], "repeated": 0, "id": 2601 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2602 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2603 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254158000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2604 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2605 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2606 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2607 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1bb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2092" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2608 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2609 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2610 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b8c6c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1bb8" } ], "repeated": 0, "id": 2611 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2612 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2613 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2614 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2615 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2616 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2617 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2618 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2619 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2620 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2621 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2622 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2623 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2624 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2625 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2626 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2627 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2628 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2629 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2630 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2631 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2632 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2633 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2634 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2635 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2636 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2637 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2638 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2639 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2640 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2641 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2642 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2643 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2644 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2645 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2646 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2647 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2648 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2649 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2650 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2651 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2652 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2653 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2654 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2655 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2656 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2657 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2658 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2659 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2660 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2661 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2662 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2663 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2664 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2665 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2666 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2667 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2668 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2669 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2670 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2671 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2672 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2673 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2674 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2675 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2676 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2677 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2678 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2679 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2680 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2681 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2682 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2683 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2684 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2685 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2686 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2687 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2688 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2689 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2690 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2691 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2692 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2693 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2694 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2695 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2696 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2697 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2698 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2699 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2700 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2701 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2702 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2703 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2704 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2705 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2706 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2707 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2708 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2709 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2710 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2711 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2712 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2713 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2714 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2715 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2716 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2717 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2718 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2719 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2720 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2721 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2722 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2723 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2724 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2725 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 2726 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2727 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2728 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2729 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925415b000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2730 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2731 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2732 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 2733 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2734 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2735 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2736 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2737 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2738 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2739 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2740 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2741 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2742 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ffc602285aa", "parentcaller": "0x7ffc6021278a", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 2743 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2744 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2745 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2746 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2747 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ed8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2351" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2748 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2749 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bcfc4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ed8" } ], "repeated": 0, "id": 2750 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2751 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2752 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2753 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2754 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2755 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2756 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2757 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2758 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2759 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2760 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2761 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2762 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2763 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2764 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2765 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2766 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2767 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc775cf47d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2768 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc775cf47d", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2769 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ffc756ddd5d", "parentcaller": "0x7ffc775cf4a2", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2770 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd3d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1f28" } ], "repeated": 0, "id": 2771 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2772 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2773 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2774 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2775 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2776 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2777 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2778 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1f28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2438" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2779 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2780 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd3d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1f28" } ], "repeated": 0, "id": 2781 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2782 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2783 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2784 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2785 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1f28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2438" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2786 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2787 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2788 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2789 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2790 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2791 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2792 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2793 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2794 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2795 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254164000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2796 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2797 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2798 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2799 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2800 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2801 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2802 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2803 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2804 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2805 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2806 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2807 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2808 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2809 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2810 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2811 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2812 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2813 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2814 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2815 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2816 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2817 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2818 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2819 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254167000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2820 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2821 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2822 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2823 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2824 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2825 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2826 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2827 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc775cf3f5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2828 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc775cf3f5", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2829 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2830 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2831 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2832 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2833 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2834 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2835 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2836 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2837 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2838 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2839 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2840 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2841 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2842 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2843 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2844 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2845 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2846 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2847 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2848 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2849 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2850 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2851 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2852 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2853 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2854 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2855 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ffc756ddd5d", "parentcaller": "0x7ffc775cf4a2", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2856 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ffc730ae967", "parentcaller": "0x7ffc730bb6a5", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2857 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2858 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2859 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2860 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2861 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2862 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2863 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2864 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2865 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2866 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2867 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2868 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2869 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2870 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2871 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2872 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925416a000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2873 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2874 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2875 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2876 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2877 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2878 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2879 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2880 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2881 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2882 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2883 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2884 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2885 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2886 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2887 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2888 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2889 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2890 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2891 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2892 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2893 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2894 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2895 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2896 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2897 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2898 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2899 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2900 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2901 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2902 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2903 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2904 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2905 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2906 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2907 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2908 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2909 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2910 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2911 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2912 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2913 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2914 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2915 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 2916 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2917 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925416f000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2918 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2919 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2920 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2921 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254178000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2922 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2923 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2924 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2925 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2926 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2927 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2928 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2929 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2930 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2931 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2932 }, { "timestamp": "2026-05-28 22:01:57,584", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2933 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 2934 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254181000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2935 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254192000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2936 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2937 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 2938 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2939 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 2, "id": 2940 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2941 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2942 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 3, "id": 2943 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 2944 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254197000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2945 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d40a3", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000029" }, { "name": "uiParam", "value": "0x000001f8" } ], "repeated": 0, "id": 2946 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c68", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2117" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 2947 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba6a8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c68" } ], "repeated": 0, "id": 2948 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 3, "id": 2949 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "Handle", "value": "0x000005a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 2950 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "AccListViewV6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6" } ], "repeated": 0, "id": 2951 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 2952 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" }, { "name": "Handle", "value": "0x000005a4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 2953 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "UseDoubleClickTimer" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer" } ], "repeated": 0, "id": 2954 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 2955 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2956 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2957 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2958 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2959 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2960 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2961 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2962 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2963 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2964 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2965 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2966 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2967 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2968 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2969 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2970 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2971 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2972 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2973 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2974 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2975 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2976 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2977 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2978 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2979 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2980 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2981 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2982 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2983 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2984 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2985 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2986 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2987 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2988 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2989 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2990 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2991 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2992 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2993 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 2994 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2995 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2996 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2997 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 2998 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2999 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3000 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3001 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3002 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3003 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3004 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3005 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3006 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3007 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3008 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3009 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3010 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3011 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3012 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3013 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3014 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3015 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3016 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3017 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3018 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3019 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3020 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3021 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3022 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3023 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3024 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3025 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3026 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3027 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3028 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3029 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3030 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3031 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3032 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3033 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3034 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3035 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3036 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3037 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3038 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3039 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3040 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3041 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3042 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3043 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3044 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3045 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3046 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3047 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3048 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3049 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3050 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3051 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3052 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3053 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3054 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3055 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3056 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3057 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3058 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3059 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3060 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3061 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3062 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3063 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3064 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3065 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3066 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3067 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3068 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3069 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3070 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3071 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3072 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3073 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3074 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3075 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3076 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3077 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3078 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3079 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3080 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3081 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3082 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3083 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3084 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3085 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3086 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3087 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3088 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3089 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3090 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3091 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3092 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3093 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3094 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3095 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3096 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3097 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3098 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3099 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3100 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3101 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3102 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3103 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3104 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3105 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3106 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3107 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3108 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3109 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3110 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3111 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3112 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3113 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc775cf3c0", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3114 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3115 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3116 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ffc756ddd5d", "parentcaller": "0x7ffc775cf411", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3117 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3118 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3119 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3120 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3121 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3122 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3123 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3124 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3125 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3126 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 2, "id": 3127 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "608", "caller": "0x7ff6c28b3932", "parentcaller": "0x7ff6c28de0ed", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\ActXPrxy" }, { "name": "DllBase", "value": "0x7ffc6edf0000" } ], "repeated": 0, "id": 3128 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3129 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3130 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3131 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3132 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3133 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3134 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3135 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3136 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3137 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3138 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3139 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3140 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3141 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3142 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3143 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3144 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3145 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3146 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3147 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3148 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3149 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3150 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3151 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3152 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3153 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3154 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3155 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3156 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3157 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3158 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3159 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3160 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3161 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3162 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3163 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3164 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3165 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3166 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3167 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3168 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3169 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3170 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3171 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3172 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3173 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3174 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3175 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3176 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3177 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3178 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3179 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3180 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3181 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3182 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3183 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3184 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3185 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3186 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3187 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3188 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3189 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3190 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3191 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3192 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3193 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3194 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3195 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3196 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3197 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3198 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3199 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3200 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3201 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3202 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3203 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3204 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3205 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3206 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3207 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3208 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3209 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3210 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3211 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3212 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3213 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3214 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3215 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3216 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3217 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3218 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3219 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3220 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3221 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3222 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3223 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3224 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3225 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3226 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3227 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3228 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3229 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3230 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3231 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3232 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3233 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3234 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3235 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3236 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3237 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3238 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3239 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3240 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3241 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3242 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3243 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3244 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3245 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3246 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3247 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3248 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3249 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3250 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3251 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3252 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3253 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3254 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3255 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3256 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 3257 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3258 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 3259 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3260 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3261 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3262 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3263 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3264 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3265 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "UxSubclassInfo" }, { "name": "Atom", "value": "0x0000c018" } ], "repeated": 0, "id": 3266 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3267 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3268 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3269 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3270 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3271 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3272 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3273 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3274 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3275 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3276 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 3277 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3278 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3279 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3280 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 3281 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3282 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3283 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df32d", "parentcaller": "0x7ff6c28d4106", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3284 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3285 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3286 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3287 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3288 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3289 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3290 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3291 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3292 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3293 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df349", "parentcaller": "0x7ff6c28d4106", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3294 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3295 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3296 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3297 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df349", "parentcaller": "0x7ff6c28d4106", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3298 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3299 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3300 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3301 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3302 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df349", "parentcaller": "0x7ff6c28d4106", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3303 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3304 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28df349", "parentcaller": "0x7ff6c28d4106", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001022" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 3305 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3306 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3307 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3308 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3309 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3310 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3311 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3312 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3313 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3314 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3315 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3316 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3317 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3318 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3319 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3320 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3321 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3322 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3323 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3324 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3325 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3326 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3327 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 3328 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3329 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3330 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 3331 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3332 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3333 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3334 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3335 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3336 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3337 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3338 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3339 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3340 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3341 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3342 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3343 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 3344 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3345 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 3346 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3347 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3348 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3349 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28d4106", "parentcaller": "0x7ff6c28d2e59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3350 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3351 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3352 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3353 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3354 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3355 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3356 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3357 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3358 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "GetSystemMetrics", "status": true, "return": "0x00000780", "arguments": [ { "name": "SystemMetricIndex", "value": "0" } ], "repeated": 0, "id": 3359 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3360 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3361 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3362 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3363 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3364 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3365 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3366 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3367 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3368 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3369 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3370 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3371 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3372 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3373 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3374 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3375 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3376 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3377 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3378 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3379 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3380 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3381 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3382 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3383 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3384 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3385 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3386 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3387 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 3388 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3389 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3390 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3391 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3392 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3393 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3394 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3395 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3396 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3397 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3398 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3399 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3400 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3401 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 3402 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3403 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3404 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3405 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3406 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3407 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3408 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3409 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3410 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3411 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3412 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3413 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3414 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3415 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3416 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3417 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3418 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3419 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3420 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3421 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3422 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3423 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3424 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3425 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3426 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3427 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3428 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3429 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3430 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3431 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3432 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3433 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3434 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3435 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3436 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3437 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3438 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3439 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3440 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3441 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3442 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3443 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3444 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3445 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3446 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3447 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3448 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3449 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3450 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3451 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3452 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3453 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3454 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3455 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3456 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3457 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3458 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3459 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3460 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 3461 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 3462 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3463 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "RegisterClassNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e85670" } ], "repeated": 0, "id": 3464 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3465 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3466 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3467 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3468 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3469 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3470 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3471 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3472 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3473 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3474 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3475 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3476 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3477 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3478 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3479 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3480 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3481 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3482 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3483 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3484 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3485 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3486 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3487 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3488 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3489 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3490 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3491 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3492 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3493 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3494 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3495 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3496 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3497 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3498 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3499 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3500 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 3501 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3502 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3503 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3504 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 3505 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3506 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc775cf3c0", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3507 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3508 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3509 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3510 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3511 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3512 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3513 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3514 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3515 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3516 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3517 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3518 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3519 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3520 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3521 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3522 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3523 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3524 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3525 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3526 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3527 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3528 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251499000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3529 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3530 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3531 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3532 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3533 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3534 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3535 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 3536 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3537 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000498" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 3538 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3539 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3540 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3541 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3542 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3543 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3544 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3545 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3546 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3547 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3548 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3549 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3550 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3551 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3552 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3553 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3554 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3555 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3556 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3557 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3558 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3559 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3560 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3561 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "612", "caller": "0x7ffc756ddd5d", "parentcaller": "0x7ffc775cf4a2", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3562 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\UxTheme.dll.Config" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3563 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3564 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3565 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "comctl32" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 3566 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "comctl32" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 3567 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254370000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 3568 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3569 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "HIMAGELIST_QueryInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e7fa20" } ], "repeated": 0, "id": 3570 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DrawShadowText" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61efcfe0" } ], "repeated": 0, "id": 3571 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DrawSizeBox" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e8f780" } ], "repeated": 0, "id": 3572 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DrawScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e70d20" } ], "repeated": 0, "id": 3573 }, { "timestamp": "2026-05-28 22:01:57,600", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "SizeBoxHwnd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e752d0" } ], "repeated": 0, "id": 3574 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "ScrollBar_MouseMove" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61ef21e0" } ], "repeated": 0, "id": 3575 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "ScrollBar_Menu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61ef1ff0" } ], "repeated": 0, "id": 3576 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "HandleScrollCmd" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61ef1f50" } ], "repeated": 0, "id": 3577 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DetachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e02440" } ], "repeated": 0, "id": 3578 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "AttachScrollBars" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e77150" } ], "repeated": 0, "id": 3579 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "CCSetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e72230" } ], "repeated": 0, "id": 3580 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "CCGetScrollInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e8bcc0" } ], "repeated": 0, "id": 3581 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "CCEnableScrollBar" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e02830" } ], "repeated": 0, "id": 3582 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "QuerySystemGestureStatus" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61ef1fb0" } ], "repeated": 0, "id": 3583 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3584 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29250f61000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3585 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b50d0", "parentcaller": "0x7ff6c28b46ef", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "Comctl32.dll" }, { "name": "BaseAddress", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 3586 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b50d0", "parentcaller": "0x7ff6c28b46ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61e00000", "arguments": [ { "name": "lpLibFileName", "value": "Comctl32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 3587 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b50a7", "parentcaller": "0x7ff6c28b46ef", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "SetWindowSubclass" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e63d40" } ], "repeated": 0, "id": 3588 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4cd1", "parentcaller": "0x7ff6c28b4c33", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "UxSubclassInfo" }, { "name": "Atom", "value": "0x0000c018" } ], "repeated": 0, "id": 3589 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "GetSystemMetrics", "status": true, "return": "0x00000780", "arguments": [ { "name": "SystemMetricIndex", "value": "0" } ], "repeated": 0, "id": 3590 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3591 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925149a000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3592 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 3593 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 3594 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 3595 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000498" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 3596 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3597 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4b7e", "parentcaller": "0x7ff6c28b4ae4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3598 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28b4cd1", "parentcaller": "0x7ff6c28b4c33", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "UxSubclassInfo" }, { "name": "Atom", "value": "0x0000c018" } ], "repeated": 0, "id": 3599 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ea8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2328" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3600 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bcac0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ea8" } ], "repeated": 0, "id": 3601 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3602 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 3603 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1968", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31212" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3604 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f46180", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1968" } ], "repeated": 0, "id": 3605 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cd8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2144" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3606 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bab80", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cd8" } ], "repeated": 0, "id": 3607 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2143" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3608 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba98c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cc8" } ], "repeated": 0, "id": 3609 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cd8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2144" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3610 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bab80", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cd8" } ], "repeated": 0, "id": 3611 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ee8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2376" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3612 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ee8" } ], "repeated": 0, "id": 3613 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ee8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2376" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3614 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ee8" } ], "repeated": 0, "id": 3615 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ed8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2351" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3616 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bcfc4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ed8" } ], "repeated": 0, "id": 3617 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ed8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2351" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3618 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bcfc4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ed8" } ], "repeated": 0, "id": 3619 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ee8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2376" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3620 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ee8" } ], "repeated": 0, "id": 3621 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ee8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2376" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3622 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ee8" } ], "repeated": 0, "id": 3623 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ee8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2376" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3624 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ee8" } ], "repeated": 0, "id": 3625 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ef8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2407" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3626 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd0d4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ef8" } ], "repeated": 0, "id": 3627 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ee8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2376" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3628 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bd038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ee8" } ], "repeated": 0, "id": 3629 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1fc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2626" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3630 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28cdfee", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1be37c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1fc8" } ], "repeated": 0, "id": 3631 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce065", "parentcaller": "0x7ff6c28d2e98", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\resmon.exe" } ], "repeated": 0, "id": 3632 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce0f5", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2108", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#31211" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3633 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce0f5", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f460f8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2108" } ], "repeated": 0, "id": 3634 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce0f5", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2008", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#106" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3635 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce0f5", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f45c90", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2008" } ], "repeated": 0, "id": 3636 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce1bf", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30653" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3637 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce1bf", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f18d68", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2038" } ], "repeated": 0, "id": 3638 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce1bf", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1b88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#34" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 3639 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28ce1bf", "parentcaller": "0x7ff6c28d2e98", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f18900", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1b88" } ], "repeated": 0, "id": 3640 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 3641 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "samcli.dll" } ], "repeated": 0, "id": 3642 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\samcli.dll" } ], "repeated": 0, "id": 3643 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\samcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3644 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000498" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005a4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\samcli.dll" } ], "repeated": 0, "id": 3645 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000498" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb00000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3646 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb16000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3647 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb10000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3648 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb10000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3649 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28f62f0", "parentcaller": "0x7ff6c28d2ec5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292541a0000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3650 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb10000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3651 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb10000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3652 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28f62f0", "parentcaller": "0x7ff6c28d2ec5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292541c1000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3653 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000498" } ], "repeated": 0, "id": 3654 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3655 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28f62f0", "parentcaller": "0x7ff6c28d2ec5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292541ca000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3656 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb10000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3657 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\samcli" }, { "name": "DllBase", "value": "0x7ffc6bb00000" } ], "repeated": 0, "id": 3658 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28f62f0", "parentcaller": "0x7ff6c28d2ec5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292541dc000" }, { "name": "RegionSize", "value": "0x00024000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3659 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b3932", "parentcaller": "0x7ff6c28de0ed", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\actxprxy.dll" }, { "name": "BaseAddress", "value": "0x7ffc6edf0000" } ], "repeated": 0, "id": 3660 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b3932", "parentcaller": "0x7ff6c28de0ed", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "25DEAD04-1EAC-4911-9E3A-AD0A4AB560FD" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "D133CE13-3537-48BA-93A7-AFCD5D2053B4" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3661 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b3c77", "parentcaller": "0x7ff6c28b3c07", "category": "system", "api": "CreateTimerQueueTimer", "status": true, "return": "0x00000001", "arguments": [ { "name": "phNewTimer", "value": "0x29253ea6a30" }, { "name": "TimerQueue", "value": "0x00000000" }, { "name": "Callback", "value": "0xc2914c70" }, { "name": "Parameter", "value": "0x9df7f780" }, { "name": "DueTime", "value": "1000" }, { "name": "Period", "value": "1000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 3662 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3663 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3664 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3665 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 3666 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 3667 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 3668 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3669 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3670 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}" }, { "name": "Handle", "value": "0x000005ae" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}" } ], "repeated": 0, "id": 3671 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005ae" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000005be" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}\\ProxyStubClsid32" } ], "repeated": 0, "id": 3672 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x000005c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 3673 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005be" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 3674 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005c0" }, { "name": "SubKey", "value": "Segoe MDL2 Assets" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe MDL2 Assets" } ], "repeated": 0, "id": 3675 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 3676 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3677 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3678 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3679 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000005ac" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 3680 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005bc" } ], "repeated": 0, "id": 3681 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3682 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08s\\xe8S\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3683 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0s\\xe8S\\x92\\x02\\x00\\x00`\\x00\\x00\\x00-\\x00w\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00e\\x00-\\x00w\\x00i\\x00n\\x003\\x002\\x00k\\x00-\\x00m\\x00i\\x00n\\x00u\\x00s\\x00e\\x00r\\x00-\\x00l\\x001\\x00-\\x001\\x00-\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3684 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3685 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "8\\xc8\\x1bT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 3686 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3687 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "hy\\xe8S\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 3688 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa2\\xf6\\xa2\\xbeK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xda\\xf7\\x9d\\xf0\\x00\\x00\\x00h\\xda\\xf7\\x9d\\xf0\\x00\\x00\\x008\\xda\\xf7\\x9d\\xf0\\x00\\x00\\x00X\\xda\\xf7\\x9d" } ], "repeated": 0, "id": 3689 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`y\\xe8S\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xd8\\xf7\\x9d\\xf0\\x00\\x00\\x00\\xbc\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 3690 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3691 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8v\\xe8S\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3692 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0{\\xe8S\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3693 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3694 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "x\\xca\\x1bT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 3695 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3696 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8t\\xe8S\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 3697 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x02\\xe9\\xa2\\xbeK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xd6\\xf7\\x9d\\xf0\\x00\\x00\\x00\\xc8\\xd6\\xf7\\x9d\\xf0\\x00\\x00\\x00\\x98\\xd6\\xf7\\x9d\\xf0\\x00\\x00\\x00\\xb8\\xd6\\xf7\\x9d" } ], "repeated": 0, "id": 3698 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0t\\xe8S\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd4\\xf7\\x9d\\xf0\\x00\\x00\\x00\\xbc\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 3699 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "1004", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000005c4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 3700 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ac" } ], "repeated": 0, "id": 3701 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "608", "caller": "0x7ff6c28b39d5", "parentcaller": "0x7ff6c28b3953", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" } ], "repeated": 0, "id": 3702 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 63, "id": 3703 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\samcli" }, { "name": "BaseAddress", "value": "0x7ffc6bb00000" }, { "name": "InitRoutine", "value": "0x7ffc6bb051e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 3704 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3705 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3706 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3707 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1210", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3708 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 2, "id": 3709 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "SAMLIB.dll" } ], "repeated": 0, "id": 3710 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 1, "id": 3711 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\samlib.dll" } ], "repeated": 0, "id": 3712 }, { "timestamp": "2026-05-28 22:01:57,615", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 13, "id": 3713 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005b4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\samlib.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3714 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005c8" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005b4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\samlib.dll" } ], "repeated": 0, "id": 3715 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005c8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72af0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00028000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3716 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b15000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3717 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b0a000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3718 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b0a000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3719 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b0a000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3720 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b0a000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3721 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b0a000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3722 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 3723 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b4" } ], "repeated": 0, "id": 3724 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b0a000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3725 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\SAMLIB" }, { "name": "DllBase", "value": "0x7ffc72af0000" } ], "repeated": 0, "id": 3726 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 256, "id": 3727 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 3728 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "2700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc77b98ce0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": " \\xdc\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3729 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "2700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77b98c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ac" } ], "repeated": 0, "id": 3730 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1496", "caller": "0x7ff6c28d2f41", "parentcaller": "0x7ff6c28d467a", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 3731 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 2, "id": 3732 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1496", "caller": "0x7ff6c290f575", "parentcaller": "0x7ff6c290fee6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 3733 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 1, "id": 3734 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c290fee6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 1, "id": 3735 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 3, "id": 3736 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\samlib" }, { "name": "BaseAddress", "value": "0x7ffc72af0000" }, { "name": "InitRoutine", "value": "0x7ffc72af3de0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 3737 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb16000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3738 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6bb16000" }, { "name": "ModuleName", "value": "samcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3739 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1276", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3740 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "1276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x2924e1f0b50" } ], "repeated": 0, "id": 3741 }, { "timestamp": "2026-05-28 22:01:57,631", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\IconCache.db" }, { "name": "Buffer", "value": "\\x0b\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\r\\xff\\xff\\xff\\x81\\x00\\x0b\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x85\\xbe\\xff\\xff\\x81\\x00\\x0b\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00\\x86\\xbe\\xff\\xff\\x81\\x00\\x0c\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00J\\xeb\\xff\\xff\\x81\\x00\\x0c\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00K\\xeb\\xff\\xff\\x81\\x00\\x0c\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00I\\xeb\\xff\\xff\\x81\\x00\\x0c\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00H\\xeb\\xff\\xff\\x81\\x00\\x0c\\x00i\\x00m\\x00a\\x00g\\x00e\\x00r\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00E\\xeb\\xff\\xff\\x81\\x00\\x0c\\x00i\\x00m\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 3742 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b15000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3743 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72b15000" }, { "name": "ModuleName", "value": "SAMLIB.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3744 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b714e", "parentcaller": "0x7ff6c28b6b0a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3745 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\IconCache.db" }, { "name": "Buffer", "value": "r\\x00o\\x00a\\x00m\\x00i\\x00n\\x00g\\x00\\\\x00m\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00i\\x00n\\x00t\\x00e\\x00r\\x00n\\x00e\\x00t\\x00 \\x00e\\x00x\\x00p\\x00l\\x00o\\x00r\\x00e\\x00r\\x00\\\\x00q\\x00u\\x00i\\x00c\\x00k\\x00 \\x00l\\x00a\\x00u\\x00n\\x00c\\x00h\\x00\\\\x00u\\x00s\\x00e\\x00r\\x00 \\x00p\\x00i\\x00n\\x00n\\x00e\\x00d\\x00\\\\x00t\\x00a\\x00s\\x00k\\x00b\\x00a\\x00r\\x00\\\\x00m\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00e\\x00d\\x00g\\x00e\\x00.\\x00l\\x00n\\x00k\\x00\\x86U\\x11\\x08\\x00\\x00\\x00\\x80\\xff\\xff\\xff\\xffm\\x00c\\x00:\\x00\\\\x00u\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00a\\x00p\\x00p\\x00d\\x00a\\x00t\\x00a\\x00\\\\x00r\\x00o\\x00a\\x00m\\x00i\\x00n\\x00g\\x00\\\\x00m\\x00i\\x00c\\x00" }, { "name": "Length", "value": "8180" } ], "repeated": 0, "id": 3746 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005dc" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005d8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\netutils.dll" } ], "repeated": 0, "id": 3747 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005dc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b80000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000c000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3748 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b86000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3749 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b86000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3750 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b86000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3751 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b86000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3752 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b86000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3753 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005dc" } ], "repeated": 0, "id": 3754 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d8" } ], "repeated": 0, "id": 3755 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b86000" }, { "name": "ModuleName", "value": "netutils.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3756 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\netutils" }, { "name": "DllBase", "value": "0x7ffc74b80000" } ], "repeated": 0, "id": 3757 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\netutils" }, { "name": "BaseAddress", "value": "0x7ffc74b80000" }, { "name": "InitRoutine", "value": "0x7ffc74b81ce0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 3758 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3759 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e129b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3760 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005d8" } ], "repeated": 0, "id": 3761 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d8" } ], "repeated": 0, "id": 3762 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3763 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3764 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3765 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3766 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3767 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3768 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3769 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b702a", "parentcaller": "0x7ff6c28b6b22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3770 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3771 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005d8" } ], "repeated": 0, "id": 3772 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3773 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 3774 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d8" } ], "repeated": 0, "id": 3775 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons" } ], "repeated": 3, "id": 3776 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3777 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3778 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3779 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3780 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3781 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3782 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3783 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 3784 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3785 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005d8" } ], "repeated": 0, "id": 3786 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "12" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 3787 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6f26", "parentcaller": "0x7ff6c28b6b30", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d8" } ], "repeated": 0, "id": 3788 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d11000" }, { "name": "ModuleName", "value": "Windows.UI.Immersive.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3789 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d11000" }, { "name": "ModuleName", "value": "Windows.UI.Immersive.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3790 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x000005d8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3791 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005d8" }, { "name": "ValueName", "value": "UseDefaultTile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\UseDefaultTile" } ], "repeated": 0, "id": 3792 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d8" } ], "repeated": 0, "id": 3793 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3794 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d12000" }, { "name": "ModuleName", "value": "Windows.UI.Immersive.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3795 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d12000" }, { "name": "ModuleName", "value": "Windows.UI.Immersive.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3796 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AccountPicture\\Users\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AccountPicture\\Users\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 3797 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3798 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3799 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3800 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3801 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3802 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3803 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 3804 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3805 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3806 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 3807 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3808 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3809 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 3810 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3811 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3812 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b6dc5", "parentcaller": "0x7ff6c28b6b3b", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling" } ], "repeated": 0, "id": 3813 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28b50a7", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DPA_InsertPtr" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e83970" } ], "repeated": 0, "id": 3814 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xb6\\xfb\\\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1c{?\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x000Tz{\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00Sn\\x8a\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\x0eT8\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x83\\x15\\x8a{\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00Zn\\x8a\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 3815 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00k\\xfa\\xb1\\x88\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xce\\x0e\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3816 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 3817 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "92" } ], "repeated": 0, "id": 3818 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005e4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "92" }, { "name": "ProcessName", "value": "" } ], "repeated": 0, "id": 3819 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 3820 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\ntoskrnl.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3821 }, { "timestamp": "2026-05-28 22:01:57,646", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x01046000" } ], "repeated": 0, "id": 3822 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\ntoskrnl.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3823 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x01046000" } ], "repeated": 0, "id": 3824 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "92" }, { "name": "ProcessName", "value": "" } ], "repeated": 0, "id": 3825 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005a8" } ], "repeated": 0, "id": 3826 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3827 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3828 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3829 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3830 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "428" } ], "repeated": 0, "id": 3831 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "428" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\csrss.exe" } ], "repeated": 0, "id": 3832 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3833 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "428" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\csrss.exe" } ], "repeated": 0, "id": 3834 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3835 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\csrss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3836 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3837 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3838 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3839 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3840 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer" } ], "repeated": 0, "id": 3841 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\csrss.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3842 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" }, { "name": "ValueName", "value": "GlobalAssocChangedCounter" }, { "name": "Data", "value": "5" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\GlobalAssocChangedCounter" } ], "repeated": 0, "id": 3843 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ebac", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3844 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3845 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3846 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ffc7801bb82", "parentcaller": "0x7ffc7801b99e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005b0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\csrss.exe.mui" } ], "repeated": 0, "id": 3847 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3848 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3849 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 3850 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3851 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 3852 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\csrss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3853 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 3854 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\csrss.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3855 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\csrss.exe.mui" } ], "repeated": 0, "id": 3856 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3857 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 3858 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 3859 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3860 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 3861 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "428" } ], "repeated": 0, "id": 3862 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "428" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\csrss.exe" } ], "repeated": 0, "id": 3863 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005e4" } ], "repeated": 0, "id": 3864 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3865 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00 S\\x1cT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00HS\\x1cT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00hS\\x1cT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd1_\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3866 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 3867 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3868 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "512" } ], "repeated": 0, "id": 3869 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\thumbcache" }, { "name": "DllBase", "value": "0x7ffc5f2a0000" } ], "repeated": 0, "id": 3870 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "512" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\csrss.exe" } ], "repeated": 0, "id": 3871 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3872 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "512" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\csrss.exe" } ], "repeated": 0, "id": 3873 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3874 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\csrss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3875 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 3876 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\csrss.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3877 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\csrss.exe.mui" } ], "repeated": 0, "id": 3878 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3879 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 3880 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 3881 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3882 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 3883 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\csrss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3884 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 3885 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\csrss.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3886 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\thumbcache.dll" }, { "name": "BaseAddress", "value": "0x7ffc5f2a0000" } ], "repeated": 0, "id": 3887 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 3888 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 3889 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3890 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 3891 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "512" } ], "repeated": 0, "id": 3892 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "512" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\csrss.exe" } ], "repeated": 0, "id": 3893 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005e4" } ], "repeated": 0, "id": 3894 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3895 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00PV\\x1cT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00xV\\x1cT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98V\\x1cT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc2c\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3896 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 3897 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3898 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "2155FEE3-2419-4373-B102-6843707EB41F" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "F676C15D-596A-4CE2-8234-33996F445DB1" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3899 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3900 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3901 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 3902 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 3903 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" } ], "repeated": 0, "id": 3904 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3905 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3906 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 3907 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 3908 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3909 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 3910 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "600" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\winlogon.exe" } ], "repeated": 0, "id": 3911 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3912 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 3913 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3914 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\winlogon.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3915 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 3916 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3917 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3918 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3919 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\winlogon.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3920 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3921 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xd7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0G\\xe1O\\x92\\x02\\x00\\x00\\x00G\\xe1O\\x92\\x02\\x00\\x00\\xa4\\xd3\\x06x\\xfc\\x7f\\x00\\x00\\x7f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90T\\xbf3\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xdc\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb8\\xdb\\xff\\x9d\\xf0\\x00\\x00\\x00z1'Ou\\xc0\\x00\\x00\\x00\\x00\\xaaO\\x92\\x02\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3922 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateEvent", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000005f4" }, { "name": "EventName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterEvent" }, { "name": "EventType", "value": "0" }, { "name": "InitialState", "value": "0" } ], "repeated": 0, "id": 3923 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3924 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3925 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3926 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\winlogon.exe.mui" } ], "repeated": 0, "id": 3927 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000005fc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_32.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3928 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005e4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544b0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00007000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3929 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3930 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" } ], "repeated": 0, "id": 3931 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3932 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3933 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3934 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544b0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 3935 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3936 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3937 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x000e3000" } ], "repeated": 0, "id": 3938 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_48.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3939 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3940 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3941 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3942 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3943 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\winlogon.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 3944 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3945 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000005e4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_96.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3946 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3947 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 3948 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3949 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3950 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3951 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000600" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_256.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3952 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3953 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3954 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3955 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3956 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000604" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_768.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3957 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3958 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3959 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000608" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\winlogon.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3960 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3961 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3962 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_1920.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3963 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3964 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3965 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3966 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3967 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000608" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\winlogon.exe.mui" } ], "repeated": 0, "id": 3968 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3969 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000610" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544b0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00007000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3970 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_sr.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3971 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 3972 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3973 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3974 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3975 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544b0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 3976 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3977 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000608" } ], "repeated": 0, "id": 3978 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3979 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000608" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3980 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x000e3000" } ], "repeated": 0, "id": 3981 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3982 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3983 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3984 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3985 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000624" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_exif.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3986 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3987 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3988 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3989 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3990 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3991 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000628" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide_alternate.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3992 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3993 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 3994 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 3995 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 3996 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xde\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00I\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00.l4\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3997 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000062c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_custom_stream.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3998 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 3999 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 4000 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4001 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4002 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xdf\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x00m\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x93\\xd1*]\\\\x06\\x00\\x00 \\xe6\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xeb\\xff\\x9d\\xf0\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00p\\xe0\\xff\\x9d\\xf0\\x00\\x00\\x00\\x04\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\xaa._\\xfc\\x7f\\x00\\x00\\xa71+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4003 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000630" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!IconCacheInit" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4004 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4005 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d4" } ], "repeated": 0, "id": 4006 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\IconCacheToDelete" } ], "repeated": 0, "id": 4007 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "600" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\winlogon.exe" } ], "repeated": 0, "id": 4008 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" } ], "repeated": 0, "id": 4009 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "BaseAddress", "value": "0x23e7e591540" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xb2\\x06\\x00\\x00\\xb2\\x06\\x00\\x00\\x01@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00` Y~>\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\x90\\x1bY~>\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xd2\\x1bY~>\\x02\\x00\\x000pZ~>\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xec\\x1bY~>\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xee\\x1bY~>\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xf0\\x1bY~>\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4010 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "BaseAddress", "value": "0x23e7e591bd2" }, { "name": "Size", "value": "0x00000018" }, { "name": "Buffer", "value": "w\\x00i\\x00n\\x00l\\x00o\\x00g\\x00o\\x00n\\x00.\\x00e\\x00x\\x00e\\x00" } ], "repeated": 0, "id": 4011 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4012 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "600" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\winlogon.exe" } ], "repeated": 0, "id": 4013 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4014 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\x94\\x1cT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\x94\\x1cT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x95\\x1cT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0g\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4015 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4016 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4017 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4018 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "740" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4019 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4020 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "740" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4021 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4022 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "740" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4023 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4024 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4025 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "74" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 4026 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4027 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 4028 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe6\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 4029 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4030 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4031 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4032 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4033 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000634" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4034 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4035 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4036 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4037 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000005d4" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" } ], "repeated": 0, "id": 4038 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4039 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543d0000" }, { "name": "SectionOffset", "value": "0xf09dffe370" }, { "name": "ViewSize", "value": "0x00008000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4040 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4041 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4042 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4043 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4044 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xe6\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00Z\\x07'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 4045 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4046 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4047 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4048 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc5f2a9732", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4049 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4050 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4051 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4052 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4053 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4054 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4055 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4056 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000634" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4057 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4058 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4059 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543e0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4060 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4061 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4062 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4063 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4064 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4065 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4066 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4067 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4068 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4069 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4070 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4071 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4072 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4073 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4074 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4075 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4076 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4077 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4078 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4079 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4080 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4081 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4082 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4083 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4084 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4085 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4086 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4087 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4088 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4089 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4090 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4091 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4092 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4093 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4094 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4095 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4096 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4097 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4098 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4099 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4100 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4101 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4102 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4103 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4104 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4105 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "740" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4106 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4107 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4108 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x754bf29000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2 \\xc8\t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\xc8\t\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\xc8\t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\x00\\xb3\\xe9\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xb3\\xe9\\xf4}\\x00\\x00\\x00\\x00\\xc7\\xeb\\xf5}\\x00\\x00(\\x02\\xc8\\xeb\\xf5}\\x00\\x00P\\x06\\xc9\\xeb\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x81\\xc8\t\\x02\\x00\\x00" } ], "repeated": 0, "id": 4109 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4110 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x209c8203270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ".\\x07\\x00\\x00.\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x10> \\xc8\t\\x02\\x00\\x00L\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88 \\xc8\t\\x02\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00\\xf88 \\xc8\t\\x02\\x00\\x00\\xf0' \\xc8\t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00Z9 \\xc8\t\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x9a9 \\xc8\t\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x9c9 \\xc8\t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4111 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4112 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x209c82038f8" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00D\\x00c\\x00o\\x00m\\x00L\\x00a\\x00u\\x00n\\x00c\\x00h\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 4113 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4114 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4115 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "740" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4116 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4117 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000638" } ], "repeated": 0, "id": 4118 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4119 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4120 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4121 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\x9f\\x1cT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00X\\x9f\\x1cT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x9f\\x1cT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0|\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4122 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4123 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4124 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4125 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4126 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4127 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4128 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4129 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4130 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4131 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4132 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4133 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4134 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4135 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4136 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4137 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4138 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4139 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4140 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4141 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4142 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4143 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4144 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4145 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4146 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4147 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4148 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4149 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4150 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4151 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4152 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4153 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4154 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4155 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4156 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4157 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4158 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4159 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4160 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4161 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4162 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4163 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4164 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4165 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "756" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 0, "id": 4166 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4167 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4168 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4169 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4170 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "756" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 0, "id": 4171 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4172 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4173 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4174 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ffc756e6785", "parentcaller": "0x7ff6c28c4224", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4175 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4176 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4177 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4178 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4179 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4180 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4181 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543e0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4182 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4183 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4184 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4185 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543e0000" }, { "name": "RegionSize", "value": "0x000d1000" } ], "repeated": 0, "id": 4186 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4187 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4188 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4189 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4190 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292543e0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4191 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4192 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4193 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543e0000" }, { "name": "RegionSize", "value": "0x000d1000" } ], "repeated": 0, "id": 4194 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4195 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4196 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "756" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 0, "id": 4197 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4198 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4199 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4200 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4201 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4202 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4203 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4204 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4205 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4206 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4207 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4208 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4209 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4210 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4211 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4212 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4213 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4214 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4215 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4216 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4217 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4218 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4219 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4220 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4221 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4222 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4223 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4224 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4225 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4226 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4227 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4228 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4229 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4230 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4231 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4232 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4233 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4234 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4235 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4236 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4237 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4238 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "756" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 0, "id": 4239 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4240 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe4\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10S\\x1cT\\x92\\x02\\x00\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 4241 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x2da4bfb000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x86\\xee\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xa0\\x19Z_b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z_b\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00U_b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x13\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaam\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xaam\\xf4}\\x00\\x00\\x00\\x00\\xbeo\\xf5}\\x00\\x00(\\x02\\xbfo\\xf5}\\x00\\x00P\\x06\\xc0o\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4242 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4243 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x1625f5a19a0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xf6\\x06\\x00\\x00\\xf6\\x06\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0$Z_b\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x00H\\x00\\x00\\x00\\x00\\x00\\xe8\\x1fZ_b\\x01\\x00\\x00\"\\x00$\\x00\\x00\\x00\\x00\\x000 Z_b\\x01\\x00\\x00\\xe0\\x0fZ_b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00T Z_b\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00t Z_b\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x94 Z_b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4244 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x1625f5a2030" }, { "name": "Size", "value": "0x00000022" }, { "name": "Buffer", "value": "\"\\x00f\\x00o\\x00n\\x00t\\x00d\\x00r\\x00v\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00" } ], "repeated": 0, "id": 4245 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4246 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4247 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4248 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "756" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 0, "id": 4249 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4250 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000638" } ], "repeated": 0, "id": 4251 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4252 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4253 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4254 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xb0f\\x1cT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd8f\\x1cT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8f\\x1cT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4255 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x98\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5\\xff\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 4256 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4257 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4258 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4259 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4260 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4261 }, { "timestamp": "2026-05-28 22:01:57,662", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4262 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4263 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4264 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4265 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe1\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x84\\xd93\\xfc\\x7f\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4266 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4267 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4268 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4269 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4270 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4271 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005b0" } ], "repeated": 0, "id": 4272 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe1\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h8\\xfc\\x7f\\x00\\x00 \\x06\\x00\\x00\\x00\\x00\\x00\\x00 \\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81|\\xd93\\xfc\\x7f\\x00\\x00(\\x8b\\xd93\\xfc\\x7f\\x00\\x00 \\x06\\x00\\x00\\x00\\x00\\x00\\x00 \\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00 \\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4273 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4274 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4275 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4276 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4277 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4278 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000620" } ], "repeated": 0, "id": 4279 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe1\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00X8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4280 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4281 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4282 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4283 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4284 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4285 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4286 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe1\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h8\\xfc\\x7f\\x00\\x00\\xb0\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81|\\xd93\\xfc\\x7f\\x00\\x00(\\x8b\\xd93\\xfc\\x7f\\x00\\x00\\xb0\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00\\xb0\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4287 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4288 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4289 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b0" } ], "repeated": 0, "id": 4290 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4291 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4292 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "74" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 4293 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4294 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005b0" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000620" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" } ], "repeated": 0, "id": 4295 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 4296 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4297 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000640" } ], "repeated": 0, "id": 4298 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe2\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x92\\x02\\x00\\x00\\x90\\x84\\xd93\\xfc\\x7f\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H[\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 4299 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4300 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 4301 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4302 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4303 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4304 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4305 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe2\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x80\\xe3\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\r\\xecP\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H[\\x1cT\\x92\\x02\\x00\\x00j\\x00'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 4306 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4307 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4308 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4309 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 4310 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543e0000" }, { "name": "SectionOffset", "value": "0xf09dffe2f0" }, { "name": "ViewSize", "value": "0x00100000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4311 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000620" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000640" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4312 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4313 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4314 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe6\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 4315 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4316 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4317 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4318 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4319 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4320 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4321 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000644" } ], "repeated": 0, "id": 4322 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xe6\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00Z\\x07'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 4323 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4324 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4325 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4326 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4327 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4328 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4329 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4330 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000648" } ], "repeated": 0, "id": 4331 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xab._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4332 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4333 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4334 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4335 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4336 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000063c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4337 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000648" } ], "repeated": 0, "id": 4338 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\xeb\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x005\\x00b\\x00f\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 4339 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!045bf8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4340 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4341 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4342 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4343 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4344 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4345 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4346 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f303000" }, { "name": "ModuleName", "value": "thumbcache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4347 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4348 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4349 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000063c" } ], "repeated": 0, "id": 4350 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf8\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf8[BT\\x92\\x02\\x00\\x000\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x80\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4351 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4352 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063c" } ], "repeated": 0, "id": 4353 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4354 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4355 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4356 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 4357 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent" } ], "repeated": 0, "id": 4358 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent" } ], "repeated": 0, "id": 4359 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "Data", "value": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe\" \"C:\\agent.py\"" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent" } ], "repeated": 0, "id": 4360 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a4" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "Data", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\CAPEAgent" } ], "repeated": 0, "id": 4361 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 0, "id": 4362 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4363 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000279", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4364 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1a39", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4365 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1a39", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4366 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4367 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4368 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4369 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4370 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4371 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "NoPropertiesMyComputer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer" } ], "repeated": 0, "id": 4372 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4373 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4374 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4375 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "NoPropertiesRecycleBin" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin" } ], "repeated": 0, "id": 4376 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4377 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4378 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4379 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "NoControlPanel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" } ], "repeated": 0, "id": 4380 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4381 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4382 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4383 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "NoSetFolders" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders" } ], "repeated": 0, "id": 4384 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4385 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4386 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4387 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "NoInternetIcon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon" } ], "repeated": 0, "id": 4388 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4389 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4390 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\taskmgr.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\taskmgr.exe" } ], "repeated": 0, "id": 4391 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4392 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4393 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 4394 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 4395 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4396 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4397 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4398 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 4399 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 4400 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4401 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4402 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4403 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4404 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "NoCommonGroups" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups" } ], "repeated": 0, "id": 4405 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4406 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4407 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4408 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4409 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4410 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4411 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4412 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4413 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "Handle", "value": "0x0000064e" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 4414 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4415 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4416 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes" } ], "repeated": 0, "id": 4417 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "CallForAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes" } ], "repeated": 0, "id": 4418 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "RestrictedAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes" } ], "repeated": 0, "id": 4419 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "FolderValueFlags" }, { "name": "Data", "value": "1581568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags" } ], "repeated": 0, "id": 4420 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064e" } ], "repeated": 0, "id": 4421 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4422 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4423 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 4424 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 4425 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 4426 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 4427 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}" } ], "repeated": 0, "id": 4428 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4429 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4430 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4431 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 4432 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 4433 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4434 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 4435 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4436 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 4437 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064c" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 4438 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4439 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4440 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4441 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "C:\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 4442 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4443 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000064c" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 4444 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4445 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00&\\x00\\xbc\\x12\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data" } ], "repeated": 0, "id": 4446 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4447 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4448 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000650" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 4449 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4450 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4451 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4452 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4453 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000064c" } ], "repeated": 0, "id": 4454 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0\\xde\\x1cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4455 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4456 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4457 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4458 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x0000064c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4459 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4460 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000064c" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 4461 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4462 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 4463 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4464 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4465 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ffc756dbf0d", "parentcaller": "0x7ff6c28c2e25", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f50002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4466 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4467 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 4468 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4469 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 4470 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000650" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4471 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000634" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4472 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4473 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4474 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4475 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7597b000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4476 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7597b000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4477 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4478 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4479 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4480 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f50002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4481 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4482 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4483 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000634" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4484 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4485 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4486 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4487 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4488 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4489 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4490 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc76045921", "parentcaller": "0x7ffc75f52e6b", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000230" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "(\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00#\\x00\\x00\\xc0|\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4491 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc76045921", "parentcaller": "0x7ffc75f51ed1", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000230" }, { "name": "IoControlCode", "value": "0x00470807" }, { "name": "InBuffer", "value": "(\\x00\\x00\\x00\\x00\\x00\\x01\\x00\rc\\xf5S\\xbf\\xb6\\xd0\\x11\\x94\\xf2\\x00\\xa0\\xc9\\x1e\\xfb\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00" } ], "repeated": 0, "id": 4492 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc738f5fb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000648" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000644" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4493 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1004", "caller": "0x7ffc7392a151", "parentcaller": "0x7ffc739127a5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{e32a9442-5af2-11f1-ae2c-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{528c102f-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 4494 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc738f601a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4495 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc7391286f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4496 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000644" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4497 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000644" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-100000000000}\\" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 4498 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4499 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00R\\xbd\\xbb\\x88\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Data" } ], "repeated": 0, "id": 4500 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4501 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4502 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000648" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-100000000000}\\" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\" } ], "repeated": 0, "id": 4503 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4504 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Generation" } ], "repeated": 0, "id": 4505 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4506 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc738f5fb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000650" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000648" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4507 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1004", "caller": "0x7ffc7392a151", "parentcaller": "0x7ffc739127a5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{e32a9442-5af2-11f1-ae2c-806e6f6e6963}#0000000003300000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 4508 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc738f601a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4509 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc7391286f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4510 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4511 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000648" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 4512 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4513 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00&\\x00\\xbc\\x12\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data" } ], "repeated": 0, "id": 4514 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4515 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4516 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000650" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 4517 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4518 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 4519 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4520 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc738f5fb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000648" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000650" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4521 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1004", "caller": "0x7ffc7392a151", "parentcaller": "0x7ffc739127a5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\STORAGE#Volume#{e32a9442-5af2-11f1-ae2c-806e6f6e6963}#0000000EDDC00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{528c102f-0000-0000-0000-c0dd0e000000}\\" } ], "repeated": 0, "id": 4522 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc738f601a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4523 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc7391286f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4524 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4525 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000650" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-c0dd0e000000}\\" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\" } ], "repeated": 0, "id": 4526 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4527 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x9d\\x7f\\xd7`\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00E\\x00D\\x00D\\x00C\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Data" } ], "repeated": 0, "id": 4528 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4529 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4530 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000648" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-c0dd0e000000}\\" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\" } ], "repeated": 0, "id": 4531 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4532 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Generation" } ], "repeated": 0, "id": 4533 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4534 }, { "timestamp": "2026-05-28 22:01:57,678", "thread_id": "1276", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc738f5fb2", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000650" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000648" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4535 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1004", "caller": "0x7ffc7392a151", "parentcaller": "0x7ffc739127a5", "category": "filesystem", "api": "GetVolumeNameForVolumeMountPointW", "status": true, "return": "0x00000001", "arguments": [ { "name": "VolumeMountPoint", "value": "\\\\?\\SCSI#CdRom&Ven_&Prod_HL-PQ-SV_WB8#4&35424867&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" } ], "repeated": 0, "id": 4536 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc738f601a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4537 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc7391286f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4538 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4539 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000648" }, { "name": "SubKey", "value": "{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" } ], "repeated": 0, "id": 4540 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4541 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x80#\\x00\\x00\\x00\\x07\\x02H\\x01\\xfe\\x00\\x00\\x00\\x11\\x00\\x00\\x00x\\x00'\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00C\\x00S\\x00I\\x00#\\x00C\\x00d\\x00R\\x00o\\x00m\\x00&\\x00V\\x00e\\x00n\\x00_\\x00<\\x00W\\x00O\\x00O\\x00T\\x00>\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00H\\x00L\\x00-\\x00P\\x00Q\\x00-\\x00S\\x00V\\x00_\\x00W\\x00B\\x008\\x00#\\x004\\x00&\\x003\\x005\\x004\\x002\\x004\\x008\\x006\\x007\\x00&\\x000\\x00&\\x000\\x001\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Data" } ], "repeated": 0, "id": 4542 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4543 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000650" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4544 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000650" }, { "name": "SubKey", "value": "{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" }, { "name": "Handle", "value": "0x00000648" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" } ], "repeated": 0, "id": 4545 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000650" } ], "repeated": 0, "id": 4546 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Generation" } ], "repeated": 0, "id": 4547 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4548 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4549 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4550 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4551 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4552 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4553 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4554 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4555 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4556 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4557 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4558 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4559 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4560 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4561 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4562 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc7384956d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000648" } ], "repeated": 0, "id": 4563 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc7384a4ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\x1cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4564 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc73849591", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4565 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4566 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x00c\\x000\\x00d\\x00d\\x000\\x00e\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4567 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4568 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4569 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x00c\\x000\\x00d\\x00d\\x000\\x00e\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4570 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4571 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4572 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4573 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00D\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4574 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4575 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000648" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4576 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4577 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000648" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00D\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4578 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4579 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc7384956d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000648" } ], "repeated": 0, "id": 4580 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc7384a4ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\x1cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4581 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "1276", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc73849591", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000648" } ], "repeated": 0, "id": 4582 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "BaseAddress", "value": "0x7ffc728f0000" } ], "repeated": 0, "id": 4583 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4584 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 1, "id": 4585 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.1" } ], "repeated": 0, "id": 4586 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.1.ro" } ], "repeated": 0, "id": 4587 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 4588 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches" } ], "repeated": 0, "id": 4589 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4590 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4591 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000644" } ], "repeated": 0, "id": 4592 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4593 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\x17\\x19T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 4594 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4595 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4596 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4597 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4598 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4599 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00020000", "pretty_value": "READ_CONTROL" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4600 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4601 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x000f01ff" }, { "name": "TokenHandle", "value": "0x00000644" } ], "repeated": 0, "id": 4602 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4603 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H{\\xe8S\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4604 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x90L+N\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4605 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4606 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "h\\xd1\\x1bT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 4607 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4608 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8L+N\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 4609 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xc2\\x92\\xaa\\xbeK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x10\\xbe\\xff\\x9d\\xf0\\x00\\x00\\x00\\x08\\xbe\\xff\\x9d\\xf0\\x00\\x00\\x00\\xd8\\xbd\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf8\\xbd\\xff\\x9d" } ], "repeated": 0, "id": 4610 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0L+N\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xbb\\xff\\x9d\\xf0\\x00\\x00\\x00D\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 4611 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4612 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x98#\\x1dT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00p\\xa9\\xebS\\x92\\x02\\x00\\x00\\xa01/`\\xfc\\x7f\\x00\\x00\\x03\\x01\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4613 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80\"\\x1dT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xe0\\xb8\\xebS\\x92\\x02\\x00\\x00\\xa01/`\\xfc\\x7f\\x00\\x00\\x03\\x01\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4614 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4615 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "8\\xd7\\x1bT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 4616 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4617 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8#\\x1dT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 4618 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa2\\x96\\xaa\\xbeK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xba\\xff\\x9d\\xf0\\x00\\x00\\x00h\\xba\\xff\\x9d\\xf0\\x00\\x00\\x008\\xba\\xff\\x9d\\xf0\\x00\\x00\\x00X\\xba\\xff\\x9d" } ], "repeated": 0, "id": 4619 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0#\\x1dT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xb8\\xff\\x9d\\xf0\\x00\\x00\\x00D\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 4620 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4621 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4622 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000654" } ], "repeated": 0, "id": 4623 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4624 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\x18\\x19T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 4625 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4626 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.1.ro" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" } ], "repeated": 0, "id": 4627 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4628 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4629 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x96751b4000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\x80\\x04E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x04E\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x04E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x1f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xbf\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xc8\\xbf\\xf4}\\x00\\x00\\x00\\x00\\xdc\\xc1\\xf5}\\x00\\x00(\\x02\\xdd\\xc1\\xf5}\\x00\\x00P\\x06\\xde\\xc1\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xe0\\x04E\\x02\\x00\\x00" } ], "repeated": 0, "id": 4630 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000654" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "SectionOffset", "value": "0xf09dffc0d0" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4631 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x24504803270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "<\\x07\\x00\\x00<\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\x80\\x04E\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\x80\\x04E\\x02\\x00\\x00n\\x00p\\x00\\x00\\x00\\x00\\x00\\xf88\\x80\\x04E\\x02\\x00\\x00\\xf0'\\x80\\x04E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00h9\\x80\\x04E\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa89\\x80\\x04E\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9\\x80\\x04E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4632 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "BaseAddress", "value": "0x245048038f8" }, { "name": "Size", "value": "0x0000006e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00D\\x00c\\x00o\\x00m\\x00L\\x00a\\x00u\\x00n\\x00c\\x00h\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00L\\x00S\\x00M\\x00" } ], "repeated": 0, "id": 4633 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ffc756e6785", "parentcaller": "0x7ff6c28c39ad", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4634 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db" } ], "repeated": 0, "id": 4635 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4636 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000638" } ], "repeated": 0, "id": 4637 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4638 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00(\\x1dT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00((\\x1dT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00H(\\x1dT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\xc2\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4639 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4640 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4641 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4642 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00p\\x01\\x00\\x00\\x00\\x00\\x00\\x88m\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4643 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000064c" } ], "repeated": 0, "id": 4644 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4645 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\x17\\x19T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 4646 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4647 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db" } ], "repeated": 0, "id": 4648 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4649 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254510000" }, { "name": "SectionOffset", "value": "0xf09dffd030" }, { "name": "ViewSize", "value": "0x00017000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4650 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4651 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "420" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4652 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4653 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4654 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 4655 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "420" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4656 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4657 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "612" } ], "repeated": 0, "id": 4658 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 4659 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4660 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "WriteProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4661 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f50002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4662 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4663 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000634" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4664 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000654" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4665 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4666 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4667 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292543c0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4668 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000634" }, { "name": "HandleName", "value": "C:\\Users\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x008\\x001\\x003\\x00\r\\x00\n\\x00" }, { "name": "Length", "value": "174" } ], "repeated": 0, "id": 4669 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f50002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4670 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4671 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000634" }, { "name": "HandleName", "value": "C:\\Users\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "-j\\xb5\\xc9\\xde\\xac\\xd5\\x01\\xbc\\x87A\\x9a\\xed\\xee\\xdc\\x01\\xb8\\x818{\\xde\\xac\\xd5\\x01e\\x9e\\x95\\xc2\\xf8\\xee\\xdc\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4672 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 4673 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4674 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4675 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 4676 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "WriteProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4677 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000654" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4678 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4679 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4680 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4681 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "HandleName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4682 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4a\\xd0\\x9c\\xb6\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x9a\\x01\\x00\\x00\\x00\\x04\\x00a\\x00d\\x00m\\x00i\\x00n\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4683 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4684 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4685 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4686 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "420" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4687 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "BaseAddress", "value": "0x81208dd000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xe0\\x07\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\x07\\xff\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\x07\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xbe\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07P\\xbe\\xf4}\\x00\\x00\\x00\\x00d\\xc0\\xf5}\\x00\\x00(\\x02e\\xc0\\xf5}\\x00\\x00P\\x06f\\xc0\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00-\\x08\\xff\\x01\\x00\\x00" } ], "repeated": 0, "id": 4688 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "BaseAddress", "value": "0x1ff07e03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ":\\x07\\x00\\x00:\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\xe0\\x07\\xff\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xe0\\x07\\xff\\x01\\x00\\x00l\\x00n\\x00\\x00\\x00\\x00\\x00\\xf88\\xe0\\x07\\xff\\x01\\x00\\x00\\xf0'\\xe0\\x07\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00f9\\xe0\\x07\\xff\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa69\\xe0\\x07\\xff\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa89\\xe0\\x07\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4689 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "BaseAddress", "value": "0x1ff07e038f8" }, { "name": "Size", "value": "0x0000006c" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00g\\x00p\\x00s\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 4690 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4691 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "420" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4692 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000064c" } ], "repeated": 0, "id": 4693 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4694 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "HandleName", "value": "C:\\Users\\admin" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4695 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0A\\x1dT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8A\\x1dT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18B\\x1dT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xd7\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4696 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4697 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4698 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R \\xd6\\x9c\\xb6\\xee\\xdc\\x01\\x97\\xf5\\xb7\\xc2\\xea\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\xa5\\x01\\x00\\x00\\x00\\x03\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4699 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4700 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4701 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "712" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4702 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4703 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "712" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4704 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01\\xe8\\x93\\x17\\xc5\\xea\\xee\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\xa6\\x01\\x00\\x00\\x00\\x02\\x00L\\x00o\\x00c\\x00a\\x00l\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4705 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4706 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4707 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4708 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000654" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4709 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01E\\xc5\\xeb\\xc5\\xea\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00M\\x00I\\x00C\\x00R\\x00O\\x00S\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\xa6\\x01\\x00\\x00\\x00\\x02\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4710 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4711 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f50002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4712 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4713 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4714 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000654" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4715 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4716 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4717 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4718 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4719 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4720 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "712" } ], "repeated": 0, "id": 4721 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4722 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "712" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4723 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000064c" } ], "repeated": 0, "id": 4724 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01{\\x7f\\x9e$\\xeb\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00W\\x00I\\x00N\\x00D\\x00O\\x00W\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\xa6\\x01\\x00\\x00\\x00\\x02\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00A\\x00p\\x00p\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4725 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4726 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "612" } ], "repeated": 0, "id": 4727 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 4728 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "WriteProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4729 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000001" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4730 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4731 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "612" } ], "repeated": 0, "id": 4732 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1064" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4733 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4734 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "WriteProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4735 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1064" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4736 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4737 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1064" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4738 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4739 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f50002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4740 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4741 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000654" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4742 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000638" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4743 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000654" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4744 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4745 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4746 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4747 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4748 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000638" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4749 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "DontShowSuperHidden" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden" } ], "repeated": 0, "id": 4750 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29253f50002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4751 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4752 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4753 }, { "timestamp": "2026-05-28 22:01:57,693", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4754 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4755 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 4756 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4757 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 4758 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4759 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4760 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4761 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000638" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" } ], "repeated": 0, "id": 4762 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ShellState" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState" } ], "repeated": 0, "id": 4763 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ShellState" }, { "name": "Data", "value": "$\\x00\\x00\\x004(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState" } ], "repeated": 0, "id": 4764 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4765 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000638" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4766 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "NoWebView" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView" } ], "repeated": 0, "id": 4767 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4768 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4769 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000638" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4770 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ClassicShell" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell" } ], "repeated": 0, "id": 4771 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4772 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4773 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000638" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4774 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "SeparateProcess" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess" } ], "repeated": 0, "id": 4775 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4776 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4777 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000638" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4778 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "NoNetCrawling" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling" } ], "repeated": 0, "id": 4779 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4780 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4781 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "Advanced" }, { "name": "Handle", "value": "0x00000638" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" } ], "repeated": 0, "id": 4782 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "Hidden" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" } ], "repeated": 0, "id": 4783 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ShowCompColor" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor" } ], "repeated": 0, "id": 4784 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "HideFileExt" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" } ], "repeated": 0, "id": 4785 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "DontPrettyPath" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath" } ], "repeated": 0, "id": 4786 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ShowInfoTip" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip" } ], "repeated": 0, "id": 4787 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "HideIcons" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons" } ], "repeated": 0, "id": 4788 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "MapNetDrvBtn" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn" } ], "repeated": 0, "id": 4789 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "WebView" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView" } ], "repeated": 0, "id": 4790 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "Filter" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter" } ], "repeated": 0, "id": 4791 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ShowSuperHidden" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" } ], "repeated": 0, "id": 4792 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "SeparateProcess" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess" } ], "repeated": 0, "id": 4793 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 4794 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 4795 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 4796 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 4797 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 4798 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000654" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4799 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065c" } ], "repeated": 0, "id": 4800 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064c" } ], "repeated": 0, "id": 4801 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000654" } ], "repeated": 0, "id": 4802 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "NoNetCrawling" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling" } ], "repeated": 0, "id": 4803 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "AutoCheckSelect" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect" } ], "repeated": 0, "id": 4804 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "IconsOnly" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly" } ], "repeated": 0, "id": 4805 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ShowTypeOverlay" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay" } ], "repeated": 0, "id": 4806 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" }, { "name": "ValueName", "value": "ShowStatusBar" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar" } ], "repeated": 0, "id": 4807 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4808 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000638" } ], "repeated": 0, "id": 4809 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 4810 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 4811 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000638" } ], "repeated": 0, "id": 4812 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "Directory" }, { "name": "Handle", "value": "0x0000063a" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\Directory" } ], "repeated": 0, "id": 4813 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000063a" }, { "name": "SubKey", "value": "ShellEx\\IconHandler" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 4814 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "Folder" }, { "name": "Handle", "value": "0x0000064e" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\Folder" } ], "repeated": 0, "id": 4815 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000064e" }, { "name": "SubKey", "value": "ShellEx\\IconHandler" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 4816 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "AllFilesystemObjects" }, { "name": "Handle", "value": "0x0000065e" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\AllFilesystemObjects" } ], "repeated": 0, "id": 4817 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000065e" }, { "name": "SubKey", "value": "ShellEx\\IconHandler" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 4818 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000063a" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject" } ], "repeated": 0, "id": 4819 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000063a" }, { "name": "SubKey", "value": "DocObject" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject" } ], "repeated": 0, "id": 4820 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject" } ], "repeated": 0, "id": 4821 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000064e" }, { "name": "SubKey", "value": "DocObject" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject" } ], "repeated": 0, "id": 4822 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000065e" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject" } ], "repeated": 0, "id": 4823 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000065e" }, { "name": "SubKey", "value": "DocObject" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject" } ], "repeated": 0, "id": 4824 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000063a" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace" } ], "repeated": 0, "id": 4825 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000063a" }, { "name": "SubKey", "value": "BrowseInPlace" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace" } ], "repeated": 0, "id": 4826 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace" } ], "repeated": 0, "id": 4827 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000064e" }, { "name": "SubKey", "value": "BrowseInPlace" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace" } ], "repeated": 0, "id": 4828 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000065e" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace" } ], "repeated": 0, "id": 4829 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000065e" }, { "name": "SubKey", "value": "BrowseInPlace" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace" } ], "repeated": 0, "id": 4830 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000063a" }, { "name": "SubKey", "value": "Clsid" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Clsid" } ], "repeated": 0, "id": 4831 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000064e" }, { "name": "SubKey", "value": "Clsid" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid" } ], "repeated": 0, "id": 4832 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000065e" }, { "name": "SubKey", "value": "Clsid" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid" } ], "repeated": 0, "id": 4833 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000063a" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\IsShortcut" } ], "repeated": 0, "id": 4834 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut" } ], "repeated": 0, "id": 4835 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000065e" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut" } ], "repeated": 0, "id": 4836 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063a" }, { "name": "ValueName", "value": "AlwaysShowExt" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\AlwaysShowExt" } ], "repeated": 0, "id": 4837 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000063a" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\NeverShowExt" } ], "repeated": 0, "id": 4838 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000064e" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt" } ], "repeated": 0, "id": 4839 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000065e" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt" } ], "repeated": 0, "id": 4840 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000063a" } ], "repeated": 0, "id": 4841 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000064e" } ], "repeated": 0, "id": 4842 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5b4", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065e" } ], "repeated": 0, "id": 4843 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4844 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4845 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap" }, { "name": "Handle", "value": "0x0000065c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap" } ], "repeated": 0, "id": 4846 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065c" }, { "name": "ValueName", "value": ".exe" }, { "name": "Data", "value": "program" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe" } ], "repeated": 0, "id": 4847 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065c" } ], "repeated": 0, "id": 4848 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": ".exe" }, { "name": "Handle", "value": "0x0000065e" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\.exe" } ], "repeated": 0, "id": 4849 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065e" }, { "name": "ValueName", "value": "Content Type" }, { "name": "Data", "value": "application/x-msdownload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type" } ], "repeated": 0, "id": 4850 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000065e" } ], "repeated": 0, "id": 4851 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4852 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4853 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4854 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4855 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4856 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4857 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4858 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 4859 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 4860 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 4861 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 4862 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 4863 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000064c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253f50000" }, { "name": "SectionOffset", "value": "0xf09dffced0" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4864 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db" } ], "repeated": 0, "id": 4865 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000638" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254530000" }, { "name": "SectionOffset", "value": "0xf09dffde30" }, { "name": "ViewSize", "value": "0x00049000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4866 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4867 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4868 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 0, "id": 4869 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "BaseAddress", "value": "0x7f24d8d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xc0.m\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb5.m\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0.m\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa4\\xfc\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xa4\\xfc\\xf4}\\x00\\x00\\x00\\x00\\xb8\\xfe\\xf5}\\x00\\x00(\\x02\\xb9\\xfe\\xf5}\\x00\\x00P\\x06\\xba\\xfe\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\r/m\\x02\\x00\\x00" } ], "repeated": 0, "id": 4870 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 0, "id": 4871 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4872 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00P:\\x1dT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00x:\\x1dT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98:\\x1dT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\xe1\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4873 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" } ], "repeated": 0, "id": 4874 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 4875 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 4876 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000664" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 4877 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000664" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544e0000" }, { "name": "SectionOffset", "value": "0xf09dffcf80" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4878 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000668" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" } ], "repeated": 0, "id": 4879 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000668" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254580000" }, { "name": "SectionOffset", "value": "0xf09dffdee0" }, { "name": "ViewSize", "value": "0x0009c000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4880 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 1, "id": 4881 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" } ], "repeated": 0, "id": 4882 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4883 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000066c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\propsys.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4884 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000066c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\propsys.dll.mui" } ], "repeated": 0, "id": 4885 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254620000" }, { "name": "SectionOffset", "value": "0xf09dffcae0" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4886 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 4887 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000670" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4888 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "AllowFileCLSIDJunctions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions" } ], "repeated": 0, "id": 4889 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 4890 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 4891 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000670" } ], "repeated": 0, "id": 4892 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 4893 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 4894 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 4895 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": ".exe" }, { "name": "Handle", "value": "0x00000672" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\.exe" } ], "repeated": 0, "id": 4896 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "exefile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)" } ], "repeated": 0, "id": 4897 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "exefile" }, { "name": "Handle", "value": "0x00000676" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\exefile" } ], "repeated": 0, "id": 4898 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\exefile" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4899 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4900 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xd9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00v\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xf0\\xda\\xff\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 4901 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\exefile\\CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 4902 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000676" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4903 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000676" }, { "name": "ObjectAttributesName", "value": "CurVer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer" } ], "repeated": 0, "id": 4904 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000676" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x0000067a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\" } ], "repeated": 0, "id": 4905 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000676" } ], "repeated": 0, "id": 4906 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000067a" }, { "name": "SubKey", "value": "ShellEx\\IconHandler" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 4907 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "SystemFileAssociations\\.exe" }, { "name": "Handle", "value": "0x00000676" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\SystemFileAssociations\\.exe" } ], "repeated": 0, "id": 4908 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000676" }, { "name": "SubKey", "value": "ShellEx\\IconHandler" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler" } ], "repeated": 0, "id": 4909 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000067a" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject" } ], "repeated": 0, "id": 4910 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000067a" }, { "name": "SubKey", "value": "DocObject" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject" } ], "repeated": 0, "id": 4911 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000676" }, { "name": "ValueName", "value": "DocObject" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject" } ], "repeated": 0, "id": 4912 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000676" }, { "name": "SubKey", "value": "DocObject" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject" } ], "repeated": 0, "id": 4913 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000067a" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace" } ], "repeated": 0, "id": 4914 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000067a" }, { "name": "SubKey", "value": "BrowseInPlace" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace" } ], "repeated": 0, "id": 4915 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000676" }, { "name": "ValueName", "value": "BrowseInPlace" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace" } ], "repeated": 0, "id": 4916 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000676" }, { "name": "SubKey", "value": "BrowseInPlace" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace" } ], "repeated": 0, "id": 4917 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" }, { "name": "ValueName", "value": "Content Type" }, { "name": "Data", "value": "application/x-msdownload" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type" } ], "repeated": 0, "id": 4918 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000067a" }, { "name": "SubKey", "value": "Clsid" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid" } ], "repeated": 0, "id": 4919 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000676" }, { "name": "SubKey", "value": "Clsid" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Clsid" } ], "repeated": 0, "id": 4920 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000067a" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut" } ], "repeated": 0, "id": 4921 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000676" }, { "name": "ValueName", "value": "IsShortcut" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut" } ], "repeated": 0, "id": 4922 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000067a" }, { "name": "ValueName", "value": "AlwaysShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt" } ], "repeated": 0, "id": 4923 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000676" }, { "name": "ValueName", "value": "AlwaysShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt" } ], "repeated": 0, "id": 4924 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000067a" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt" } ], "repeated": 0, "id": 4925 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1144" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4926 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000676" }, { "name": "ValueName", "value": "NeverShowExt" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt" } ], "repeated": 0, "id": 4927 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4928 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" } ], "repeated": 0, "id": 4929 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de5de", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000067a" } ], "repeated": 0, "id": 4930 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1144" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4931 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4932 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1144" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4933 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 0, "id": 4934 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 4935 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 0, "id": 4936 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4937 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000279", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4938 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4939 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4940 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4941 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 4942 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4943 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4944 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4945 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4946 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4947 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4948 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4949 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4950 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4951 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4952 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 4953 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 4954 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 4955 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Users\\admin" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4956 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R \\xd6\\x9c\\xb6\\xee\\xdc\\x01\\x97\\xf5\\xb7\\xc2\\xea\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\xa5\\x01\\x00\\x00\\x00\\x03\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4957 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4958 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4959 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4960 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01\\xe8\\x93\\x17\\xc5\\xea\\xee\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\xa6\\x01\\x00\\x00\\x00\\x02\\x00L\\x00o\\x00c\\x00a\\x00l\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4961 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4962 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1144" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 4963 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4964 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 4965 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4966 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00@&\\x1eT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h&\\x1eT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88&\\x1eT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00L\\xe7\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4967 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 4968 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 4969 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4970 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01E\\xc5\\xeb\\xc5\\xea\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00M\\x00I\\x00C\\x00R\\x00O\\x00S\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\xa6\\x01\\x00\\x00\\x00\\x02\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4971 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4972 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4973 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4974 }, { "timestamp": "2026-05-28 22:01:57,709", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01{\\x7f\\x9e$\\xeb\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00W\\x00I\\x00N\\x00D\\x00O\\x00W\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\xa6\\x01\\x00\\x00\\x00\\x02\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00A\\x00p\\x00p\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4975 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4976 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4977 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4978 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 4979 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9fI\\xbe\\xb1\\xb6\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x04\\x00\\x00\\x14\\x00\\x00\\x00\\x1b\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa9\\x01\\x00\\x00\\x00\\x03\\x00p\\x00y\\x00t\\x00h\\x00o\\x00n\\x00.\\x00e\\x00x\\x00e\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 4980 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4981 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4982 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4983 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000674" } ], "repeated": 0, "id": 4984 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4985 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4986 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 4987 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4988 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4989 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 4990 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 4991 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000678" } ], "repeated": 0, "id": 4992 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 4993 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4994 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 4995 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 4996 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 4997 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000090" }, { "name": "ValueName", "value": "SafeProcessSearchMode" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SafeProcessSearchMode" } ], "repeated": 0, "id": 4998 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\microsoft\\windowsapps\\python.exe" } ], "repeated": 1, "id": 4999 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "c:\\users\\admin\\appdata\\local\\microsoft\\windowsapps\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5000 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000279", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100180", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|FILE_WRITE_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\microsoft\\windowsapps\\python.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5001 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000279", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\microsoft\\windowsapps\\python.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5002 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 5003 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5004 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5005 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000660" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5006 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000660" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 5007 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000674" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5008 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5009 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SystemResources\\imageres.dll.mui.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5010 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5011 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000674" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 5012 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5013 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5014 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5015 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 5016 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5017 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5018 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5019 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 5020 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5021 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5022 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" } ], "repeated": 0, "id": 5023 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 5024 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 0, "id": 5025 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" } ], "repeated": 0, "id": 5026 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5027 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 5028 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5029 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 5030 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000660" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5031 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000674" } ], "repeated": 0, "id": 5032 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00u\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5033 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5034 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5035 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" } ], "repeated": 0, "id": 5036 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5037 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000660" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5038 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000674" } ], "repeated": 0, "id": 5039 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\xeb\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x006\\x000\\x00e\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 5040 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0460e8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5041 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5042 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" } ], "repeated": 0, "id": 5043 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5044 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5045 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5046 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000660" } ], "repeated": 0, "id": 5047 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf8\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00\\xe8`BT\\x92\\x02\\x00\\x000\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x80\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5048 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5049 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" } ], "repeated": 0, "id": 5050 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5051 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5052 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5053 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1208" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5054 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5055 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1208" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5056 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5057 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1208" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5058 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5059 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5060 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5061 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" } ], "repeated": 0, "id": 5062 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5063 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5064 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5065 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5066 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5067 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5068 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5069 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5070 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5071 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5072 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5073 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5074 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5075 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5076 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5077 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5078 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5079 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 5080 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5081 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000678" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5082 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5083 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "Handle", "value": "0x00000678" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 5084 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "DelegateFolders" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5085 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "DelegateFolders" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\DelegateFolders" } ], "repeated": 3, "id": 5086 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "{031E4825-7B94-4dc3-B131-E946B44C8DD5}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}" } ], "repeated": 0, "id": 5087 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "{04731B67-D933-450a-90E6-4ACD2E9408FE}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}" } ], "repeated": 0, "id": 5088 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "{11016101-E366-4D22-BC06-4ADA335C892B}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}" } ], "repeated": 0, "id": 5089 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "{26EE0668-A00A-44D7-9371-BEB064C98683}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}" } ], "repeated": 0, "id": 5090 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "5" }, { "name": "Name", "value": "{2F6CE85C-F9EE-43CA-90C7-8A9BD53A2467}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{2F6CE85C-F9EE-43CA-90C7-8A9BD53A2467}" } ], "repeated": 0, "id": 5091 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1208" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5092 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "BaseAddress", "value": "0x1a537a2000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\x00\\xb9)\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf7\\xb8)\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf2\\xb8)\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8U\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xf8U\\xf4}\\x00\\x00\\x00\\x00\\x0cX\\xf5}\\x00\\x00(\\x02\rX\\xf5}\\x00\\x00P\\x06\\x0eX\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00M\\xb9)\\x01\\x00\\x00" } ], "repeated": 0, "id": 5093 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "7" }, { "name": "Name", "value": "{450D8FBA-AD25-11D0-98A8-0800361B1103}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}" } ], "repeated": 0, "id": 5094 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "BaseAddress", "value": "0x129b9003270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "n\\x07\\x00\\x00n\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00P>\\x00\\xb9)\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\x00\\xb9)\\x01\\x00\\x00\\xa0\\x00\\xa2\\x00\\x00\\x00\\x00\\x00\\xf88\\x00\\xb9)\\x01\\x00\\x00\\xf0'\\x00\\xb9)\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x9a9\\x00\\xb9)\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xda9\\x00\\xb9)\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xdc9\\x00\\xb9)\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5095 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "BaseAddress", "value": "0x129b90038f8" }, { "name": "Size", "value": "0x000000a0" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00N\\x00c\\x00b\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00" } ], "repeated": 0, "id": 5096 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5097 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "8" }, { "name": "Name", "value": "{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}" } ], "repeated": 0, "id": 5098 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1208" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5099 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5100 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5101 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "9" }, { "name": "Name", "value": "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}" } ], "repeated": 0, "id": 5102 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5103 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "10" }, { "name": "Name", "value": "{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}" } ], "repeated": 0, "id": 5104 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "11" }, { "name": "Name", "value": "{645FF040-5081-101B-9F08-00AA002F954E}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}" } ], "repeated": 0, "id": 5105 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "12" }, { "name": "Name", "value": "{64693913-1c21-4f30-a98f-4e52906d3b56}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{64693913-1c21-4f30-a98f-4e52906d3b56}" } ], "repeated": 0, "id": 5106 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "13" }, { "name": "Name", "value": "{89D83576-6BD1-4c86-9454-BEB04E94C819}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}" } ], "repeated": 0, "id": 5107 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "14" }, { "name": "Name", "value": "{8FD8B88D-30E1-4F25-AC2B-553D3D65F0EA}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{8FD8B88D-30E1-4F25-AC2B-553D3D65F0EA}" } ], "repeated": 0, "id": 5108 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "15" }, { "name": "Name", "value": "{9343812e-1c37-4a49-a12e-4b2d810d956b}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}" } ], "repeated": 0, "id": 5109 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "16" }, { "name": "Name", "value": "{98F275B4-4FFF-11E0-89E2-7B86DFD72085}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}" } ], "repeated": 0, "id": 5110 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "17" }, { "name": "Name", "value": "{a00ee528-ebd9-48b8-944a-8942113d46ac}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{a00ee528-ebd9-48b8-944a-8942113d46ac}" } ], "repeated": 0, "id": 5111 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "18" }, { "name": "Name", "value": "{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}" } ], "repeated": 0, "id": 5112 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "19" }, { "name": "Name", "value": "{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}" } ], "repeated": 0, "id": 5113 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "20" }, { "name": "Name", "value": "{daf95313-e44d-46af-be1b-cbacea2c3065}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}" } ], "repeated": 0, "id": 5114 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "21" }, { "name": "Name", "value": "{e345f35f-9397-435c-8f95-4e922c26259e}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}" } ], "repeated": 0, "id": 5115 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "22" }, { "name": "Name", "value": "{EDC978D6-4D53-4b2f-A265-5805674BE568}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{EDC978D6-4D53-4b2f-A265-5805674BE568}" } ], "repeated": 0, "id": 5116 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "23" }, { "name": "Name", "value": "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" } ], "repeated": 0, "id": 5117 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "24" }, { "name": "Name", "value": "{f8278c54-a712-415b-b593-b77a2be0dda9}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{f8278c54-a712-415b-b593-b77a2be0dda9}" } ], "repeated": 0, "id": 5118 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "25" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" } ], "repeated": 0, "id": 5119 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000678" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "Handle", "value": "0x0000067c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 5120 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1260" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5121 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5122 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1260" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5123 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 5124 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5125 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5126 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1260" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5127 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "Handle", "value": "0x00000678" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 5128 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5129 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ffc73908029", "parentcaller": "0x7ffc738425d9", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{018D5C66-4533-4307-9B53-224DE2ED1FE6}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" } ], "repeated": 0, "id": 5130 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" } ], "repeated": 0, "id": 5131 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5132 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000678" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "Handle", "value": "0x00000688" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 5133 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5134 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 5135 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5136 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" }, { "name": "Handle", "value": "0x00000678" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5137 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}" } ], "repeated": 0, "id": 5138 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\" } ], "repeated": 0, "id": 5139 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000678" }, { "name": "SubKey", "value": "" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000010", "pretty_value": "KEY_NOTIFY" }, { "name": "Handle", "value": "0x00000694" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 5140 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5141 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "SessionInfo\\1" }, { "name": "Handle", "value": "0x00000678" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1" } ], "repeated": 0, "id": 5142 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5143 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000678" }, { "name": "SubKey", "value": "Desktop\\NameSpace" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace" } ], "repeated": 0, "id": 5144 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5145 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000678" }, { "name": "SubKey", "value": "Desktop\\NameSpace\\DelegateFolders" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5146 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5147 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5148 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5149 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5150 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5151 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5152 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "ValueName", "value": "StorageDelegateSuppressionPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy" } ], "repeated": 0, "id": 5153 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5154 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 5155 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 5156 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders" } ], "repeated": 0, "id": 5157 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ffc756e2fe4", "parentcaller": "0x7ffc7392e5e5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000678" }, { "name": "ValueName", "value": "StorageDelegate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegate" } ], "repeated": 0, "id": 5158 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5159 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5160 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a0" } ], "repeated": 0, "id": 5161 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00v\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5162 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5163 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5164 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5165 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5166 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5167 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5168 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5169 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5170 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5171 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5172 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000678" } ], "repeated": 0, "id": 5173 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 5174 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5175 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5176 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5177 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5178 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 5179 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000033", "pretty_return": "OBJECT_NAME_INVALID", "arguments": [ { "name": "FileName", "value": "C:\\??\\c:\\windows\\system32\\conhost.exe" } ], "repeated": 0, "id": 5180 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 5181 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1260" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5182 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5183 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "BaseAddress", "value": "0x93e9ee6000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xe0\\x8f\\xee\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcb\\x8f\\xee\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc6\\x8f\\xee\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x00\\x1d\\xcd\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x1d\\xcd\\xf4}\\x00\\x00\\x00\\x001\\xcf\\xf5}\\x00\\x00(\\x022\\xcf\\xf5}\\x00\\x00P\\x063\\xcf\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00 \\x90\\xee\\x01\\x00\\x00" } ], "repeated": 0, "id": 5184 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5185 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "BaseAddress", "value": "0x1ee8fe03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ">\\x07\\x00\\x00>\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\xe0\\x8f\\xee\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xe0\\x8f\\xee\\x01\\x00\\x00p\\x00r\\x00\\x00\\x00\\x00\\x00\\xf88\\xe0\\x8f\\xee\\x01\\x00\\x00\\xf0'\\xe0\\x8f\\xee\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00j9\\xe0\\x8f\\xee\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9\\xe0\\x8f\\xee\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xac9\\xe0\\x8f\\xee\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5186 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "BaseAddress", "value": "0x1ee8fe038f8" }, { "name": "Size", "value": "0x00000070" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00P\\x00r\\x00o\\x00f\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 5187 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5188 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1260" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5189 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5190 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5191 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa0\\xc2\\x1eT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xc8\\xc2\\x1eT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xc2\\x1eT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf6\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5192 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5193 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 5194 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5195 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5196 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5197 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 5198 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000678" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5199 }, { "timestamp": "2026-05-28 22:01:57,725", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5200 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5201 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 5202 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5203 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5204 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5205 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 5206 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5207 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5208 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5209 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 5210 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 5211 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28f7900", "parentcaller": "0x7ff6c296c4b1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 5212 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296c455", "parentcaller": "0x7ff6c296e63c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 5213 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296c0df", "parentcaller": "0x7ff6c296c48a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "3" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 5214 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive" } ], "repeated": 0, "id": 5215 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive" } ], "repeated": 0, "id": 5216 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "Data", "value": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive" } ], "repeated": 0, "id": 5217 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057c" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "Data", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\OneDrive" } ], "repeated": 0, "id": 5218 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 5219 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5220 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 5221 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5222 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 5223 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 1, "id": 5224 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5225 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 5226 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5227 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 5228 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5229 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000670" } ], "repeated": 0, "id": 5230 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf6\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\r\\xecP\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5231 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5232 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5233 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5234 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5235 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000674" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5236 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000670" } ], "repeated": 0, "id": 5237 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\xeb\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x001\\x001\\x00e\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 5238 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0411e8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5239 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5240 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5241 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5242 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" } ], "repeated": 0, "id": 5243 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000660" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5244 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000674" } ], "repeated": 0, "id": 5245 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf8\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x11BT\\x92\\x02\\x00\\x000\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x80\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5246 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5247 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000674" } ], "repeated": 0, "id": 5248 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000660" } ], "repeated": 0, "id": 5249 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5250 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5251 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 5252 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "Discord" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" } ], "repeated": 0, "id": 5253 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Discord" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" } ], "repeated": 0, "id": 5254 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Discord" }, { "name": "Data", "value": "\"C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" } ], "repeated": 0, "id": 5255 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057c" }, { "name": "ValueName", "value": "Discord" }, { "name": "Data", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Discord" } ], "repeated": 0, "id": 5256 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" } ], "repeated": 0, "id": 5257 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5258 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5259 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5260 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5261 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" } ], "repeated": 1, "id": 5262 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1432" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5263 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 5264 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1432" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5265 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5266 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5267 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5268 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5269 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5270 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5271 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5272 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5273 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5274 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00w\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5275 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5276 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5277 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5278 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000678" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5279 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5280 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ffc7803a871", "parentcaller": "0x7ffc756dad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5281 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5282 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5283 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5284 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5285 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5286 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5287 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000644" } ], "repeated": 0, "id": 5288 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 5289 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5290 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5291 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5292 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5293 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5294 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" } ], "repeated": 1, "id": 5295 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\users\\admin\\appdata\\local\\discord\\update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5296 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\SystemResources\\update.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5297 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5298 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 5299 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5300 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5301 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5302 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 5303 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000644" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5304 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5305 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1520" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5306 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5307 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1520" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5308 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5309 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000644" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5310 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254650002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5311 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000644" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 5312 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5313 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5314 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254682e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5315 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546f6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254682e40" } ], "repeated": 0, "id": 5316 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254678940" } ], "repeated": 0, "id": 5317 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546f64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254678940" } ], "repeated": 0, "id": 5318 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5319 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 5320 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5321 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5322 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5323 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 5324 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5325 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5326 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5327 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5328 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5329 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5330 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" } ], "repeated": 0, "id": 5331 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5332 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5333 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5334 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5335 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5336 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254650002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5337 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5338 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5339 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5340 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5341 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5342 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000644" } ], "repeated": 0, "id": 5343 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf6\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\r\\xecP\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5344 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5345 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000644" } ], "repeated": 0, "id": 5346 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5347 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5348 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000678" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5349 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 5350 }, { "timestamp": "2026-05-28 22:01:57,740", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\xeb\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x002\\x000\\x00b\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 5351 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0420b8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5352 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5353 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5354 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5355 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5356 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5357 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000678" } ], "repeated": 0, "id": 5358 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf8\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00\\xb8 BT\\x92\\x02\\x00\\x000\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x80\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5359 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5360 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000678" } ], "repeated": 0, "id": 5361 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5362 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5363 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5364 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5365 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 5366 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5367 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5368 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5369 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 5370 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "SectionOffset", "value": "0xf09dffde00" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5371 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5372 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 5373 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5374 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 5375 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5376 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5377 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5378 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 5379 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "SectionOffset", "value": "0xf09dffddf0" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5380 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5381 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 5382 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5383 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 5384 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5385 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006ac" } ], "repeated": 0, "id": 5386 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5387 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5388 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5389 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5390 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5391 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5392 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5393 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5394 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 5395 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5396 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5397 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5398 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5399 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 1, "id": 5400 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5401 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\reg.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5402 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 5403 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 5404 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5405 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5406 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5407 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 5408 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5409 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5410 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5411 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006b0" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 5412 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5413 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5414 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5415 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 5416 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5417 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5418 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5419 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 5420 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5421 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5422 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5423 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 5424 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 5425 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5426 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5427 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5428 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5429 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5430 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x8c7fd01000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xa0\\xffE\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8e\\xffE\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x89\\xffE\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc0\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07k\\xc0\\xf4}\\x00\\x00\\x00\\x00\\x7f\\xc2\\xf5}\\x00\\x00(\\x02\\x80\\xc2\\xf5}\\x00\\x00P\\x06\\x81\\xc2\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xe0\\xffE\\x02\\x00\\x00" } ], "repeated": 0, "id": 5431 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x245ffa032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "d\\x07\\x00\\x00d\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xd0>\\xa0\\xffE\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xa0\\xffE\\x02\\x00\\x00\\x96\\x00\\x98\\x00\\x00\\x00\\x00\\x00x9\\xa0\\xffE\\x02\\x00\\x00\\xf0'\\xa0\\xffE\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x10:\\xa0\\xffE\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00P:\\xa0\\xffE\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00R:\\xa0\\xffE\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5432 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x245ffa03978" }, { "name": "Size", "value": "0x00000096" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00D\\x00h\\x00c\\x00p\\x00" } ], "repeated": 0, "id": 5433 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5434 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1520" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5435 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a4" } ], "repeated": 0, "id": 5436 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5437 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xdd\\x1eT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00X\\xdd\\x1eT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xdd\\x1eT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbd\\x0e\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5438 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5439 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5440 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5441 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 5442 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5443 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5444 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5445 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1620" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5446 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5447 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1620" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5448 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5449 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1620" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5450 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5451 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 5452 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5453 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5454 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5455 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5456 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5457 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5458 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5459 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5460 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5461 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5462 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5463 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5464 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5465 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 5466 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5467 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5468 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5469 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 5470 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x2a5db003978" }, { "name": "Size", "value": "0x00000064" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 5471 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "SectionOffset", "value": "0xf09dffde00" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5472 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5473 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1620" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5474 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5475 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a4" } ], "repeated": 0, "id": 5476 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5477 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 5478 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00P\\xe1\\x1eT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00x\\xe1\\x1eT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xe1\\x1eT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa5\\x17\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5479 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5480 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5481 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5482 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 5483 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5484 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5485 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5486 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 5487 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1720" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5488 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "SectionOffset", "value": "0xf09dffddf0" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5489 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5490 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5491 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1720" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5492 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254690000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 5493 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5494 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5495 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1720" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5496 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 5497 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5498 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5499 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5500 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 5501 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5502 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5503 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5504 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5505 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ffc7803a871", "parentcaller": "0x7ffc756dad69", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5506 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5507 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5508 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5509 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5510 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5511 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5512 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5513 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5514 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5515 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5516 }, { "timestamp": "2026-05-28 22:01:57,756", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5517 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 5518 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5519 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5520 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5521 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 5522 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5523 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5524 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5525 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5526 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5527 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 5528 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5529 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5530 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5531 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5532 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 5533 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5534 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5535 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5536 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5537 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 5538 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5539 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5540 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5541 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5542 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 5543 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1720" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5544 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x3bcb517000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\x80\\xc1\\xb1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\xc1\\xb1\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\xc1\\xb1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x1f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfd\\xa5\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xfd\\xa5\\xf4}\\x00\\x00\\x00\\x00\\x11\\xa8\\xf5}\\x00\\x00(\\x02\\x12\\xa8\\xf5}\\x00\\x00P\\x06\\x13\\xa8\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xc1\\xc1\\xb1\\x01\\x00\\x00" } ], "repeated": 0, "id": 5545 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x1b1c18032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "P\\x07\\x00\\x00P\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xb0>\\x80\\xc1\\xb1\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\x80\\xc1\\xb1\\x01\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00x9\\x80\\xc1\\xb1\\x01\\x00\\x00\\xf0'\\x80\\xc1\\xb1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xfc9\\x80\\xc1\\xb1\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00<:\\x80\\xc1\\xb1\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00>:\\x80\\xc1\\xb1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5546 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x1b1c1803978" }, { "name": "Size", "value": "0x00000082" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00E\\x00v\\x00e\\x00n\\x00t\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00" } ], "repeated": 0, "id": 5547 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5548 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1720" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5549 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5550 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a4" } ], "repeated": 0, "id": 5551 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5552 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\xf5\\x1eT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x18\\xf6\\x1eT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xf6\\x1eT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00&\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa2\\x1f\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5553 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5554 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5555 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5556 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5557 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5558 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 5559 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5560 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5561 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5562 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5563 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5564 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5565 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5566 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5567 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5568 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5569 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5570 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5571 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5572 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 5573 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5574 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5575 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5576 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5577 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 5578 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5579 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5580 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 5581 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5582 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5583 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5584 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254720000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5585 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5586 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5587 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254720000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5588 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5589 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5590 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 5591 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5592 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5593 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5594 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5595 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5596 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5597 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5598 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" } ], "repeated": 0, "id": 5599 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006b4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5600 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006b0" } ], "repeated": 0, "id": 5601 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 5602 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5603 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5604 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" } ], "repeated": 0, "id": 5605 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5606 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 5607 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\c:\\users\\admin\\appdata\\local\\discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5608 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\SystemResources\\gpu_encoder_helper.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5609 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 5610 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 5611 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5612 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5613 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5614 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 5615 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5616 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" } ], "repeated": 0, "id": 5617 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5618 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006b4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 5619 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5620 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5621 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5622 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 5623 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5624 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5625 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5626 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 5627 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" } ], "repeated": 0, "id": 5628 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5629 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5630 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 5631 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 5632 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x8afe67b000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\x00\\xba7\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf1\\xb97\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xec\\xb97\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf9\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x88\\xf9\\xf4}\\x00\\x00\\x00\\x00\\x9c\\xfb\\xf5}\\x00\\x00(\\x02\\x9d\\xfb\\xf5}\\x00\\x00P\\x06\\x9e\\xfb\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00C\\xba7\\x02\\x00\\x00" } ], "repeated": 0, "id": 5633 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x237ba003270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "<\\x07\\x00\\x00<\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\x00\\xba7\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\x00\\xba7\\x02\\x00\\x00n\\x00p\\x00\\x00\\x00\\x00\\x00\\xf88\\x00\\xba7\\x02\\x00\\x00\\xf0'\\x00\\xba7\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00h9\\x00\\xba7\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa89\\x00\\xba7\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9\\x00\\xba7\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5634 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x237ba0038f8" }, { "name": "Size", "value": "0x0000006e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00T\\x00h\\x00e\\x00m\\x00e\\x00s\\x00" } ], "repeated": 0, "id": 5635 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5636 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5637 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5638 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a4" } ], "repeated": 0, "id": 5639 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5640 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0%\\x1fT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8%\\x1fT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18&\\x1fT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b!\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5641 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5642 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5643 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5644 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5645 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5646 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5647 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5648 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1844" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5649 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5650 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1844" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5651 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5652 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1844" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5653 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5654 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5655 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5656 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5657 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc7579028c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5658 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5659 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5660 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5661 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5662 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5663 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5664 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5665 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 5666 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5667 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5668 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5669 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5670 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5671 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5672 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5673 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5674 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5675 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5676 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5677 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5678 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5679 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 5680 }, { "timestamp": "2026-05-28 22:01:57,771", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5681 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5682 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5683 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 5684 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5685 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 5686 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 5687 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5688 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5689 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5690 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5691 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5692 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5693 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 5694 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5695 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5696 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5697 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1844" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5698 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0xb1a5b38000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02`\\xaf0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\xaf0\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\xaf0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90+\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x90+\\xf4}\\x00\\x00\\x00\\x00\\xa4-\\xf5}\\x00\\x00(\\x02\\xa5-\\xf5}\\x00\\x00P\\x06\\xa6-\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xad\\xaf0\\x02\\x00\\x00" } ], "repeated": 0, "id": 5699 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x230af6032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "J\\x07\\x00\\x00J\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xb0>`\\xaf0\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089`\\xaf0\\x02\\x00\\x00|\\x00~\\x00\\x00\\x00\\x00\\x00x9`\\xaf0\\x02\\x00\\x00\\xf0'`\\xaf0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf69`\\xaf0\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x006:`\\xaf0\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x008:`\\xaf0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5700 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x230af603978" }, { "name": "Size", "value": "0x0000007c" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00n\\x00e\\x00t\\x00p\\x00r\\x00o\\x00f\\x00m\\x00" } ], "repeated": 0, "id": 5701 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5702 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1844" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5703 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a4" } ], "repeated": 0, "id": 5704 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5705 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 5706 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5707 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 5708 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 5709 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5710 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5711 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5712 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5713 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5714 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1892" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5715 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5716 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1892" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5717 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5718 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1892" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5719 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5720 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5721 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5722 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5723 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5724 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5725 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5726 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Index", "value": "2" }, { "name": "ValueName", "value": "Steam" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam" } ], "repeated": 0, "id": 5727 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5728 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Steam" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam" } ], "repeated": 0, "id": 5729 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5730 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Steam" }, { "name": "Data", "value": "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam" } ], "repeated": 0, "id": 5731 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057c" }, { "name": "ValueName", "value": "Steam" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Steam" } ], "repeated": 0, "id": 5732 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5733 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5734 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 5735 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5736 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5737 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 5738 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5739 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 5740 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 5741 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5742 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 5743 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5744 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 5745 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5746 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 5747 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006b4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5748 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006b0" } ], "repeated": 0, "id": 5749 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf6\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\r\\xecP\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5750 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5751 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5752 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" } ], "repeated": 0, "id": 5753 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1892" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5754 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5755 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0xbe9d7ac000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02@\\x7fL\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x7fL\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x7fL\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x1f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\xa5\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x12\\xa5\\xf4}\\x00\\x00\\x00\\x00&\\xa7\\xf5}\\x00\\x00(\\x02'\\xa7\\xf5}\\x00\\x00P\\x06(\\xa7\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x8d\\x7fL\\x02\\x00\\x00" } ], "repeated": 0, "id": 5756 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006b4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5757 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006b0" } ], "repeated": 0, "id": 5758 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x24c7f403978" }, { "name": "Size", "value": "0x0000007e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00F\\x00o\\x00n\\x00t\\x00C\\x00a\\x00c\\x00h\\x00e\\x00" } ], "repeated": 0, "id": 5759 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\xeb\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x006\\x005\\x00d\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 5760 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5761 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0465d8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5762 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1892" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5763 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5764 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a4" } ], "repeated": 0, "id": 5765 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" } ], "repeated": 0, "id": 5766 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5767 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0E\\x1fT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08F\\x1fT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(F\\x1fT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x950\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5768 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5769 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5770 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5771 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b8" } ], "repeated": 0, "id": 5772 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006b8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5773 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006b4" } ], "repeated": 0, "id": 5774 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\xf8\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00\\xd8eBT\\x92\\x02\\x00\\x000\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x80\\xe9\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00>T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5775 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5776 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b4" } ], "repeated": 0, "id": 5777 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b8" } ], "repeated": 0, "id": 5778 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 5779 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 5780 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1976" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5781 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5782 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1976" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5783 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5784 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1976" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5785 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5786 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5787 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5788 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 5789 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5790 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5791 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006ac" } ], "repeated": 0, "id": 5792 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5793 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5794 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5795 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5796 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5797 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5798 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5799 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5800 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5801 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5802 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5803 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5804 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5805 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 5806 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5807 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5808 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5809 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5810 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5811 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5812 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5813 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5814 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5815 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5816 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5817 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5818 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5819 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 5820 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5821 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5822 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SystemResources\\imageres.dll.mui.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5823 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1976" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5824 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0xc87f4a9000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\x80\\xf6\\xe0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xf6\\xe0\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00f\\xf6\\xe0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x7f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00-*\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07-*\\xf4}\\x00\\x00\\x00\\x00A,\\xf5}\\x00\\x00(\\x02B,\\xf5}\\x00\\x00P\\x06C,\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xc0\\xf6\\xe0\\x01\\x00\\x00" } ], "repeated": 0, "id": 5825 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x1e0f68032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "T\\x07\\x00\\x00T\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>\\x80\\xf6\\xe0\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\x80\\xf6\\xe0\\x01\\x00\\x00\\x86\\x00\\x88\\x00\\x00\\x00\\x00\\x00x9\\x80\\xf6\\xe0\\x01\\x00\\x00\\xf0'\\x80\\xf6\\xe0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x00:\\x80\\xf6\\xe0\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00@:\\x80\\xf6\\xe0\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00B:\\x80\\xf6\\xe0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5826 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "BaseAddress", "value": "0x1e0f6803978" }, { "name": "Size", "value": "0x00000086" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 5827 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5828 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x85\\x1fT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x18\\x86\\x1fT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x86\\x1fT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe48\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5829 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5830 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5831 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a8" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 5832 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5833 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5834 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254640002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5835 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254640002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 5836 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254640002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 5837 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254640002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5838 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254640002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 5839 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 5840 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5841 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5842 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5843 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 5844 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "348" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5845 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5846 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "348" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5847 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5848 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "348" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5849 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5850 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5851 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\vulkandriverquery64.exe" } ], "repeated": 0, "id": 5852 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5853 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5854 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5855 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5856 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5857 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5858 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5859 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5860 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5861 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 5862 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5863 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5864 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5865 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 5866 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5867 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 5868 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5869 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "348" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5870 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "BaseAddress", "value": "0x9965813000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xa0\\xf6E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\xf6E\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x7f\\xf6E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x9d\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x078\\x9d\\xf4}\\x00\\x00\\x00\\x00L\\x9f\\xf5}\\x00\\x00(\\x02M\\x9f\\xf5}\\x00\\x00P\\x06N\\x9f\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xe0\\xf6E\\x02\\x00\\x00" } ], "repeated": 0, "id": 5871 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "BaseAddress", "value": "0x245f6a032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "T\\x07\\x00\\x00T\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>\\xa0\\xf6E\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xa0\\xf6E\\x02\\x00\\x00\\x86\\x00\\x88\\x00\\x00\\x00\\x00\\x00x9\\xa0\\xf6E\\x02\\x00\\x00\\xf0'\\xa0\\xf6E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x00:\\xa0\\xf6E\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00@:\\xa0\\xf6E\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00B:\\xa0\\xf6E\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5872 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "BaseAddress", "value": "0x245f6a03978" }, { "name": "Size", "value": "0x00000086" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 5873 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5874 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5875 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5876 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 5877 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 5878 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5879 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5880 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2100" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5881 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5882 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5883 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2100" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5884 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5885 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2100" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5886 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5887 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a0" } ], "repeated": 0, "id": 5888 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf6\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83\\xaa\\x01x\\xfc\\x7f\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5889 }, { "timestamp": "2026-05-28 22:01:57,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5890 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5891 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5892 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5893 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5894 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5895 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5896 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5897 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5898 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe8\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\xeb\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x008\\x008\\x006\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xea\\xff\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 5899 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!048868" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5900 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5901 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5902 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5903 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000620" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5904 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5905 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5906 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a0" } ], "repeated": 0, "id": 5907 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 5908 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 5909 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5910 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5911 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5912 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5913 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 5914 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5915 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5916 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5917 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 5918 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5919 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5920 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5921 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254650002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5922 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5923 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 5924 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5925 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5926 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5927 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 5928 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5929 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5930 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5931 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5932 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 5933 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5934 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5935 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5936 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5937 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 5938 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5939 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5940 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5941 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5942 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 5943 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2100" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5944 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xdec22cc000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02 [\\x95\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c[\\x95\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17[\\x95\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xe0\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xe0\\xe0\\xf4}\\x00\\x00\\x00\\x00\\xf4\\xe2\\xf5}\\x00\\x00(\\x02\\xf5\\xe2\\xf5}\\x00\\x00P\\x06\\xf6\\xe2\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00n[\\x95\\x02\\x00\\x00" } ], "repeated": 0, "id": 5945 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2955b2032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x82\\x07\\x00\\x00\\x82\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0> [\\x95\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089 [\\x95\\x02\\x00\\x00\\xb4\\x00\\xb6\\x00\\x00\\x00\\x00\\x00x9 [\\x95\\x02\\x00\\x00\\xf0' [\\x95\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00.: [\\x95\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00n: [\\x95\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00p: [\\x95\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5946 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5947 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2955b203978" }, { "name": "Size", "value": "0x000000b4" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00W\\x00i\\x00n\\x00H\\x00t\\x00t\\x00p\\x00A\\x00u\\x00t\\x00o\\x00P\\x00r\\x00o\\x00x\\x00y\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 5948 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5949 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2100" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 5950 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 5951 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5952 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf2\\x1fT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00X\\xf2\\x1fT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xf2\\x1fT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00nK\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5953 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5954 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5955 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5956 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5957 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5958 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 5959 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5960 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5961 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5962 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5963 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 5964 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2276" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\spoolsv.exe" } ], "repeated": 0, "id": 5965 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296c710", "parentcaller": "0x7ff6c296c26d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254200000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5966 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5967 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 5968 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5969 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254710002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5970 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254710000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5971 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\spoolsv.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5972 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\spoolsv.exe.mui" } ], "repeated": 0, "id": 5973 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254710000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5974 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5975 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5976 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 5977 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\spoolsv.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5978 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254710002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5979 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 5980 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254710000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 5981 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254710002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5982 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\spoolsv.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5983 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\spoolsv.exe.mui" } ], "repeated": 0, "id": 5984 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254710000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5985 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 5986 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254710000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 5987 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": ".\\bin\\vulkandriverquery.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 5988 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5989 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ffc756dad9e", "parentcaller": "0x7ffc756db638", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 5990 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2276" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\spoolsv.exe" } ], "repeated": 0, "id": 5991 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5992 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 5993 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 5994 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x00e53000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00.r\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00P\\x1a\\x15\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x01\\x00\\x00\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfaw\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xfaw\\xf4}\\x00\\x00\\x00\\x00\\x0ez\\xf5}\\x00\\x00(\\x02\\x0fz\\xf5}\\x00\\x00P\\x06\\x10z\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00U\\x01\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5995 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5996 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x01151a50" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x0c\\x07\\x00\\x00\\x0c\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0%\\x15\\x01\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x98 \\x15\\x01\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xd8 \\x15\\x01\\x00\\x00\\x00\\x00\\xe0\\x0f\\x15\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x18!\\x15\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00X!\\x15\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00Z!\\x15\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5997 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 5998 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 5999 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 6000 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2276" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\spoolsv.exe" } ], "repeated": 0, "id": 6001 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6002 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6003 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0. T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8. T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08/ T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x005\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa7q\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6004 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6005 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6006 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6007 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 6008 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 6009 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000670" } ], "repeated": 0, "id": 6010 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 6011 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 6012 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 6013 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 6014 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6015 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\vulkandriverquery.exe" } ], "repeated": 0, "id": 6016 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 6017 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6018 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6019 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6020 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 6021 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6022 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 6023 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6024 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006a4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 6025 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000670" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6026 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 6027 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6028 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 6029 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6030 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 6031 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 6032 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 6033 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 6034 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6035 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6036 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 6037 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\vulkandriverquery.exe" } ], "repeated": 0, "id": 6038 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6039 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6040 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6041 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6042 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 6043 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6044 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6045 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6046 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6047 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6048 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6049 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6050 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6051 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6052 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6053 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6054 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 6055 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": ".\\bin\\gldriverquery64.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6056 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6057 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6058 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 6059 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006bc" } ], "repeated": 0, "id": 6060 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6061 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 6062 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6063 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6064 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6065 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6066 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 6067 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 6068 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6069 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6070 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 6071 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6072 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6073 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6074 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6075 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6076 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6077 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\gldriverquery64.exe" } ], "repeated": 0, "id": 6078 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 6079 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6080 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6081 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6082 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006bc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 6083 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006b0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6084 }, { "timestamp": "2026-05-28 22:01:57,803", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6085 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6086 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006b0" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 6087 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6088 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6089 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6090 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 6091 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6092 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 6093 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 6094 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 6095 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6096 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6097 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6098 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 6099 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\gldriverquery64.exe" } ], "repeated": 0, "id": 6100 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": ".\\bin\\gldriverquery.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6101 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 6102 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006b0" } ], "repeated": 0, "id": 6103 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6104 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 6105 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6106 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6107 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6108 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6109 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 6110 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006bc" } ], "repeated": 0, "id": 6111 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 6112 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 6113 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6114 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6115 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6116 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\gldriverquery.exe" } ], "repeated": 0, "id": 6117 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 6118 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6119 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6120 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6121 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006b0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 6122 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6123 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6124 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6125 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 6126 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6127 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6128 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254672e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6129 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254672e40" } ], "repeated": 0, "id": 6130 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254668940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6131 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 6132 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546e64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254668940" } ], "repeated": 0, "id": 6133 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 6134 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6135 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6136 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6137 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 6138 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\gldriverquery.exe" } ], "repeated": 0, "id": 6139 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" } ], "repeated": 0, "id": 6140 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2348" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6141 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xab0b4af000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xe0\\x90J\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd2\\x90J\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x90J\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x02\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x1d\\x02\\xf4}\\x00\\x00\\x00\\x001\\x04\\xf5}\\x00\\x00(\\x022\\x04\\xf5}\\x00\\x00P\\x063\\x04\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00$\\x91J\\x02\\x00\\x00" } ], "repeated": 0, "id": 6142 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6143 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x24a90e032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "`\\x07\\x00\\x00`\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>\\xe0\\x90J\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xe0\\x90J\\x02\\x00\\x00\\x92\\x00\\x94\\x00\\x00\\x00\\x00\\x00x9\\xe0\\x90J\\x02\\x00\\x00\\xf0'\\xe0\\x90J\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x0c:\\xe0\\x90J\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00L:\\xe0\\x90J\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00N:\\xe0\\x90J\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6144 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "NtReadVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "ProcessId", "value": "2348" }, { "name": "BaseAddress", "value": "0x24a90e03978" }, { "name": "Size", "value": "0x00000092" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00L\\x00a\\x00n\\x00m\\x00a\\x00n\\x00W\\x00o\\x00r\\x00k\\x00s\\x00t\\x00a\\x00t\\x00i\\x00o\\x00n\\x00" } ], "repeated": 0, "id": 6145 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6146 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2348" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6147 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6148 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6149 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000006b0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 6150 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6151 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6152 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000006b0" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000658" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 6153 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6154 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 6155 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6156 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6157 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 6158 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbeAb\\xc8\\xde\\xac\\xd5\\x01\\x9e\\x9a\\x01\\xc8\\xea\\xee\\xdc\\x01\\xb2\\x020C\\x00\\xef\\xdc\\x01\\xb2\\x020C\\x00\\xef\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00&\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00P\\x00R\\x00O\\x00G\\x00R\\x00A\\x00~\\x002\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc9\\x04\\x00\\x00\\x00\\x00\\x01\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00" }, { "name": "FileName", "value": "C:\\Program Files (x86)" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 6159 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6160 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "612" } ], "repeated": 0, "id": 6161 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x00" } ], "repeated": 0, "id": 6162 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "WriteProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Buffer", "value": "\\x01" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6163 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\desktop.ini" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6164 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\desktop.ini" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6165 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\desktop.ini" }, { "name": "Buffer", "value": "\\xff\\xfe\r\\x00\n\\x00[\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00C\\x00l\\x00a\\x00s\\x00s\\x00I\\x00n\\x00f\\x00o\\x00]\\x00\r\\x00\n\\x00L\\x00o\\x00c\\x00a\\x00l\\x00i\\x00z\\x00e\\x00d\\x00R\\x00e\\x00s\\x00o\\x00u\\x00r\\x00c\\x00e\\x00N\\x00a\\x00m\\x00e\\x00=\\x00@\\x00%\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00R\\x00o\\x00o\\x00t\\x00%\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00h\\x00e\\x00l\\x00l\\x003\\x002\\x00.\\x00d\\x00l\\x00l\\x00,\\x00-\\x002\\x001\\x008\\x001\\x007\\x00\r\\x00\n\\x00" }, { "name": "Length", "value": "174" } ], "repeated": 0, "id": 6166 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\desktop.ini" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\x81n\\x9f\\xc9\\xde\\xac\\xd5\\x01N\\xa1T\\x9a\\xed\\xee\\xdc\\x01\\xab\\xb8,{\\xde\\xac\\xd5\\x01e\\x9e\\x95\\xc2\\xf8\\xee\\xdc\\x01&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6167 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6168 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6169 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "612" } ], "repeated": 0, "id": 6170 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Size", "value": "0x00000001" }, { "name": "Buffer", "value": "\\x01" } ], "repeated": 0, "id": 6171 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "process", "api": "WriteProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d877281" }, { "name": "Buffer", "value": "\\x00" }, { "name": "BufferLength", "value": "0x00000001" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6172 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6173 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Program Files (x86)" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 6174 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb2\\x020C\\x00\\xef\\xdc\\x01{IL7\\xec\\xee\\xdc\\x01{IL7\\xec\\xee\\xdc\\x01{IL7\\xec\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\xf7\\x01\\x00\\x00\\x00\\x02\\x00S\\x00t\\x00e\\x00a\\x00m\\x00" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 6175 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6176 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6177 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6178 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Steam" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 6179 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000658" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe1T\\xbaK\\x00\\xef\\xdc\\x01&\\xe9\\x1c&\\xeb\\xee\\xdc\\x01\\x00ro\\x15(\\xee\\xdc\\x01\\x06K,d\\x00\\xef\\xdc\\x01\\x98\\xfe\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00S\\x00T\\x00E\\x00A\\x00M\\x00S\\x00~\\x001\\x00.\\x00E\\x00X\\x00E\\x00\\x00\\x00-)\\x02\\x00\\x00\\x00\\x01\\x00s\\x00t\\x00e\\x00a\\x00m\\x00s\\x00y\\x00s\\x00i\\x00n\\x00f\\x00o\\x00.\\x00e\\x00x\\x00e\\x00" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 6180 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6181 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 6182 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006b0" } ], "repeated": 0, "id": 6183 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00`\\xee\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6184 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 6185 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6186 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6187 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005d4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6188 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6189 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 6190 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000658" } ], "repeated": 0, "id": 6191 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe7\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x05\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x05'Ou\\xc0\\x00\\x00\\x88X\\x1cT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 6192 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 6193 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6194 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6195 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6196 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\program files (x86)\\Steam\\steamsysinfo.exe" } ], "repeated": 1, "id": 6197 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\program files (x86)\\steam\\steamsysinfo.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6198 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\program files (x86)\\SystemResources\\steamsysinfo.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6199 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00149000" } ], "repeated": 0, "id": 6200 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 6201 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6202 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6203 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6204 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006bc" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006b0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 6205 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6206 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09dffc770" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6207 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6208 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2512" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6209 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6210 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2512" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6211 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6212 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254650002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6213 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006bc" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 6214 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000658" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "SectionOffset", "value": "0xf09dffc720" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6215 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000658" } ], "repeated": 0, "id": 6216 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254682e40", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6217 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546f6950", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254682e40" } ], "repeated": 0, "id": 6218 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254678940", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 6219 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ffc762c5842", "parentcaller": "0x7ffc756fc703", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254678940" } ], "repeated": 0, "id": 6220 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292546f64e8", "arguments": [ { "name": "Module", "value": "0x29254630002" }, { "name": "ResourceInfo", "value": "0x29254678940" } ], "repeated": 0, "id": 6221 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6222 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 6223 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006bc" } ], "repeated": 0, "id": 6224 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6225 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6226 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296ec3e", "parentcaller": "0x7ff6c296c7ef", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 6227 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6228 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6229 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6230 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6231 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6232 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6233 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" } ], "repeated": 0, "id": 6234 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6235 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6236 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6237 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6238 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6239 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6240 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6241 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6242 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6243 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6244 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 6245 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6246 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 6247 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6248 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006b0" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 6249 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006b0" } ], "repeated": 0, "id": 6250 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 6251 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28f7900", "parentcaller": "0x7ff6c296c4b1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 6252 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296c455", "parentcaller": "0x7ff6c296e63c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 6253 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c296c0df", "parentcaller": "0x7ff6c296c48a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 6254 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c28f7900", "parentcaller": "0x7ff6c296c4b1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 6255 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Internal.StartupTaskInternal" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal" } ], "repeated": 0, "id": 6256 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00j\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00r\\x00t\\x00u\\x00p\\x00T\\x00a\\x00s\\x00k\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\xffa9\\xfff0\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00X\\xff91\\xfff1S\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xfff1\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff80\\x1b\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xff91\\xfff1S\\xff92\\x02\\x00\\x00\\xff80\\x1b\\x1fT\\xff92\\x02\\x00\\x000\t\\x19T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10*\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff0\t\\x19T\\xff92\\x02\\x00\\x00\\xff808\\x1dT\\xff92\\x02\\x00\\x00\\xff808\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x1b\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00\\xff90\\xff97\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xfff2\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xfff2\\xffff\\xff9d\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 6257 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivationType" } ], "repeated": 0, "id": 6258 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Server" } ], "repeated": 0, "id": 6259 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\DllPath" } ], "repeated": 0, "id": 6260 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Threading" } ], "repeated": 0, "id": 6261 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\TrustLevel" } ], "repeated": 0, "id": 6262 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000588" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\CustomAttributes" } ], "repeated": 0, "id": 6263 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\RemoteServer" } ], "repeated": 0, "id": 6264 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateAsUser" } ], "repeated": 0, "id": 6265 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInSharedBroker" } ], "repeated": 0, "id": 6266 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 6267 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Permissions" } ], "repeated": 0, "id": 6268 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateOnHostFlags" } ], "repeated": 0, "id": 6269 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 6270 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2512" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6271 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x20983f0000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xa0\\xf5n\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf5n\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\xf5n\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x7f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ny\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07Ny\\xf4}\\x00\\x00\\x00\\x00b{\\xf5}\\x00\\x00(\\x02c{\\xf5}\\x00\\x00P\\x06d{\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6272 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\twinapi.appcore" }, { "name": "DllBase", "value": "0x7ffc6ff20000" } ], "repeated": 0, "id": 6273 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x16ef5a032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "v\\x07\\x00\\x00v\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xe0>\\xa0\\xf5n\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xa0\\xf5n\\x01\\x00\\x00\\xa8\\x00\\xaa\\x00\\x00\\x00\\x00\\x00x9\\xa0\\xf5n\\x01\\x00\\x00\\xf0'\\xa0\\xf5n\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\":\\xa0\\xf5n\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00b:\\xa0\\xf5n\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00d:\\xa0\\xf5n\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6274 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x16ef5a03978" }, { "name": "Size", "value": "0x000000a8" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00P\\x00o\\x00l\\x00i\\x00c\\x00y\\x00A\\x00g\\x00e\\x00n\\x00t\\x00" } ], "repeated": 0, "id": 6275 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6276 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2512" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6277 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6278 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6279 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0n T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8n T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18o T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00:\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x91\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6280 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6281 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6282 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.ApplicationModel" }, { "name": "DllBase", "value": "0x7ffc63700000" } ], "repeated": 0, "id": 6283 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2636" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6284 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6285 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2636" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6286 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6287 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2636" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6288 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6289 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6290 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6291 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6292 }, { "timestamp": "2026-05-28 22:01:57,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6293 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6294 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6295 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6296 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6297 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6298 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254630002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6299 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6300 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6301 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6302 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6303 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6304 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6305 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6306 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254630000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6307 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" }, { "name": "BaseAddress", "value": "0x7ffc63700000" } ], "repeated": 0, "id": 6308 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc63700000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 6309 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63700000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6370fa40" } ], "repeated": 0, "id": 6310 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63700000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6370e870" } ], "repeated": 0, "id": 6311 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63700000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6370f430" } ], "repeated": 0, "id": 6312 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6313 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6314 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6315 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6316 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6317 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000a" }, { "name": "TokenHandle", "value": "0x000006c4" } ], "repeated": 0, "id": 6318 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c4" } ], "repeated": 0, "id": 6319 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c4" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" } ], "repeated": 0, "id": 6320 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000006c4" }, { "name": "ValueName", "value": "automatedAppLaunch" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\automatedAppLaunch" } ], "repeated": 0, "id": 6321 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xf6\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00 \\x02\\x00\\x00\\xcc\\xabE\\x83K\\x87\\x085\\xde\\x03\\x85\\x97Bd\\x958\\x98\\x1cd{b\\xa4\\xe7M\\xfeUia\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 6322 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c4" } ], "repeated": 0, "id": 6323 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" } ], "repeated": 0, "id": 6324 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000a" }, { "name": "TokenHandle", "value": "0x000006c8" } ], "repeated": 0, "id": 6325 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" } ], "repeated": 0, "id": 6326 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c8" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" } ], "repeated": 0, "id": 6327 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000006c8" }, { "name": "ValueName", "value": "automatedAppLaunch" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\automatedAppLaunch" } ], "repeated": 0, "id": 6328 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xf6\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00 \\x02\\x00\\x00\\xcc\\xabE\\x83K\\x87\\x085\\xde\\x03\\x85\\x97Bd\\x958\\x98\\x1cd{b\\xa4\\xe7M\\xfeUia\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 6329 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" } ], "repeated": 0, "id": 6330 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c4" } ], "repeated": 0, "id": 6331 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6332 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006c4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 6333 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006c4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006c8" } ], "repeated": 0, "id": 6334 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6335 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" } ], "repeated": 0, "id": 6336 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c4" } ], "repeated": 0, "id": 6337 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "612" } ], "repeated": 0, "id": 6338 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000006cc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x29253b9c200" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "3700" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "SHCORE.DLL" } ], "repeated": 0, "id": 6339 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000006cc", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x29253b9c200" }, { "name": "CreationFlags", "value": "0x00000004" }, { "name": "ThreadId", "value": "3700" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 6340 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000006cc" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "3700" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 6341 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006cc" } ], "repeated": 0, "id": 6342 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6343 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x29253b9c200" } ], "repeated": 0, "id": 6344 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" } ], "repeated": 0, "id": 6345 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 6346 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6347 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6348 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Foundation.Diagnostics.AsyncCausalityTracer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer" } ], "repeated": 0, "id": 6349 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006c8" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00f\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00F\\x00o\\x00u\\x00n\\x00d\\x00a\\x00t\\x00i\\x00o\\x00n\\x00.\\x00D\\x00i\\x00a\\x00g\\x00n\\x00o\\x00s\\x00t\\x00i\\x00c\\x00s\\x00.\\x00A\\x00s\\x00y\\x00n\\x00c\\x00C\\x00a\\x00u\\x00s\\x00a\\x00l\\x00i\\x00t\\x00y\\x00T\\x00r\\x00a\\x00c\\x00e\\x00r\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\x19\\xffee\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xffa8\\xffa1\\xfff1S\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\xffee\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xfff0\\xffa0\\xfff1S\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffa1\\xfff1S\\xff92\\x02\\x00\\x00\\xfff0\\xffa0\\xfff1S\\xff92\\x02\\x00\\x000\\x06\\x19T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10:\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff0\\x06\\x19T\\xff92\\x02\\x00\\x00\\xffa07\\x1dT\\xff92\\x02\\x00\\x00\\xffa07\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\xffa0\\xfff1S\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x000\\xffa2\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffef\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffef\\xffff\\xff9d\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 6350 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivationType" } ], "repeated": 0, "id": 6351 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Server" } ], "repeated": 0, "id": 6352 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\combase.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\DllPath" } ], "repeated": 0, "id": 6353 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Threading" } ], "repeated": 0, "id": 6354 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\TrustLevel" } ], "repeated": 0, "id": 6355 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000006c8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\CustomAttributes" } ], "repeated": 0, "id": 6356 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\RemoteServer" } ], "repeated": 0, "id": 6357 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateAsUser" } ], "repeated": 0, "id": 6358 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInSharedBroker" } ], "repeated": 0, "id": 6359 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 6360 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Permissions" } ], "repeated": 0, "id": 6361 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006c8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateOnHostFlags" } ], "repeated": 0, "id": 6362 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" } ], "repeated": 0, "id": 6363 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\combase.dll" }, { "name": "BaseAddress", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 6364 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77b70000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\combase.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 6365 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c258a0" } ], "repeated": 0, "id": 6366 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c4f090" } ], "repeated": 0, "id": 6367 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 6368 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6369 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c29688f1", "parentcaller": "0x7ff6c2969ce4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6370 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c29688f1", "parentcaller": "0x7ff6c2969ce4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6371 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "612", "caller": "0x7ff6c2968932", "parentcaller": "0x7ff6c2969ce4", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006d4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 6372 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.ApplicationExtension" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension" } ], "repeated": 0, "id": 6373 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006a4" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00j\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00E\\x00x\\x00t\\x00e\\x00n\\x00s\\x00i\\x00o\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00I\\xffe8\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xffe8\\xff91\\xfff1S\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00@\\x06\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xff91\\xfff1S\\xff92\\x02\\x00\\x00@\\x06\\x1fT\\xff92\\x02\\x00\\x00\\xffb0\\x08\\x19T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff90A\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffb0\\x08\\x19T\\xff92\\x02\\x00\\x00\\xffe05\\x1dT\\xff92\\x02\\x00\\x00\\xffe05\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00\\xff90\\xff9c\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 6374 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivationType" } ], "repeated": 0, "id": 6375 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Server" } ], "repeated": 0, "id": 6376 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\DllPath" } ], "repeated": 0, "id": 6377 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Threading" } ], "repeated": 0, "id": 6378 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\TrustLevel" } ], "repeated": 0, "id": 6379 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000006a4" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\CustomAttributes" } ], "repeated": 0, "id": 6380 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\RemoteServer" } ], "repeated": 0, "id": 6381 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateAsUser" } ], "repeated": 0, "id": 6382 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInSharedBroker" } ], "repeated": 0, "id": 6383 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 6384 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Permissions" } ], "repeated": 0, "id": 6385 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006a4" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateOnHostFlags" } ], "repeated": 0, "id": 6386 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2259de03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "&\\x07\\x00\\x00&\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x10>\\xe0\\x9d%\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xe0\\x9d%\\x02\\x00\\x00X\\x00Z\\x00\\x00\\x00\\x00\\x00\\xf88\\xe0\\x9d%\\x02\\x00\\x00\\xc0\\xaf\\xf1\\xa1%\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00R9\\xe0\\x9d%\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x929\\xe0\\x9d%\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x949\\xe0\\x9d%\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6387 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77bc74a2", "parentcaller": "0x7ffc77bc67e6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006d8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d4" }, { "name": "ObjectAttributesName", "value": "Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server" } ], "repeated": 0, "id": 6388 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000006d8" }, { "name": "ObjectAttributesName", "value": "StateRepository" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository" } ], "repeated": 0, "id": 6389 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006dc" }, { "name": "KeyInformation", "value": "\\xffcek|\\xffd3\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00\\x00\\x004\\xff9c\\xffdcO\\xff92\\x02\\x00\\x00\\xff90\\xffc7\\xffe43\\xfffc\\x7f\\x00\\x00\\xffa2t\\xffbcw\\xfffc\\x7f\\x00\\x00\\xffd9L\\xffb53\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00b\\xffc6J\\xffbdK\\xffb4\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00\\xffd8\\xffe4\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xfff2\\xfff9J\\xffbdK\\xffb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00L\\xffa2\\x1dT\\xff92\\x02\\x00\\x00H\\xffeb\"N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x000\\xffa3\\x1dT\\xff92\\x02\\x00\\x00 \\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xffe4I\\xffb73\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff9d\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xffb8\\xffcf\\xffd93\\xfffc\\x7f\\x00\\x000\\xffa3\\x1dT\\xff92\\x02\\x00\\x00\\xfff8\\xff81\\xffd93\\xfffc\\x7f\\x00\\x00\\x19\\x01\\x02\\x00\\xff92\\x02\\x00\\x00h\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xffd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\x10\\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff98\\xff85\\xffd93\\xfffc\\x7f\\x00\\x00 \\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xfff0\\xfffd\\x18T\\xff92\\x02\\x00\\x00\\xffb0t\\xffbcw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00 \\xffe7\\x1f\\xff9e\\xfff0\\x00\\x00\\x000\\xffa3\\x1dT\\xff92\\x02\\x00\\x00\\xffd0\\xffa2\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x0c\\xfffe\\x18T\\xff92\\x02\\x00\\x000\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xffd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffa3\\x1dT\\xff92\\x02\\x00\\x00\\x19h\\xffbcw\\xfffc\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 6390 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "ExePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath" } ], "repeated": 0, "id": 6391 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "CommandLine" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine" } ], "repeated": 0, "id": 6392 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "IdentityType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType" } ], "repeated": 0, "id": 6393 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Type", "value": "0x7ffc00000003" }, { "name": "DataLength", "value": "184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 6394 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Data", "value": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 6395 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c49d80", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "ActivatableClasses" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses" } ], "repeated": 0, "id": 6396 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "ServerType" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType" } ], "repeated": 0, "id": 6397 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "AppId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId" } ], "repeated": 0, "id": 6398 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "Identity" }, { "name": "Data", "value": "nt authority\\system" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity" } ], "repeated": 0, "id": 6399 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "ServiceName" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName" } ], "repeated": 0, "id": 6400 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006dc" }, { "name": "ValueName", "value": "ExplicitPsmActivationType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType" } ], "repeated": 0, "id": 6401 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000006dc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes" } ], "repeated": 0, "id": 6402 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006dc" } ], "repeated": 0, "id": 6403 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a4" } ], "repeated": 0, "id": 6404 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 6405 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000006e8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 6406 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6407 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925420a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6408 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}" }, { "name": "Handle", "value": "0x000006ee" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}" } ], "repeated": 0, "id": 6409 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000006ee" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000006f2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32" } ], "repeated": 0, "id": 6410 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 6411 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 6412 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" } ], "repeated": 0, "id": 6413 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000006ee" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 6414 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6415 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6416 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xe0\\xc1\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 6417 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 6418 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6419 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006ee" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 6420 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6421 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006ee" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 6422 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 6423 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 6424 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000006ee" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000006f2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 6425 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 6426 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 6427 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 6428 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 6429 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 6430 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6431 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6432 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xbf\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 6433 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 6434 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6435 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006ee" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 6436 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6437 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6438 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xbf\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 6439 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 6440 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6441 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006ee" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 6442 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" } ], "repeated": 0, "id": 6443 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000006ee" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 6444 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6445 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6446 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xbd\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xa0\\xbe\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 6447 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 6448 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6449 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006ee" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 6450 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6451 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006ee" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 6452 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 6453 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 6454 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000006ee" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000006f2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 6455 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 6456 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 6457 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 6458 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 6459 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 6460 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6461 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6462 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xbc\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x000\\xbd\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 6463 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 6464 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6465 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006ee" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 6466 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6467 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6468 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xbc\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x000\\xbd\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 6469 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 6470 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6471 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006ee" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 6472 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000006ee" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32" } ], "repeated": 0, "id": 6473 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000006ee" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID" } ], "repeated": 0, "id": 6474 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 6475 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6476 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xbb\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xee\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xbc\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 6477 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 6478 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000006ee" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 6479 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000006ee" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 6480 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000006f2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 6481 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000006f2" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation" } ], "repeated": 0, "id": 6482 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006f2" } ], "repeated": 0, "id": 6483 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" } ], "repeated": 0, "id": 6484 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000006ee" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 6485 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000006ee" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 6486 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" } ], "repeated": 0, "id": 6487 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS" }, { "name": "DllBase", "value": "0x7ffc665a0000" } ], "repeated": 0, "id": 6488 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2792" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6489 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6490 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2792" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6491 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6492 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2792" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6493 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6494 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6495 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6496 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6497 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6498 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6499 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6500 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6501 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6502 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6503 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6504 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6505 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6506 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6507 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6508 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6509 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6510 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6511 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6512 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" }, { "name": "BaseAddress", "value": "0x7ffc665a0000" } ], "repeated": 0, "id": 6513 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc665a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 6514 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ffc665a0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc665a7340" } ], "repeated": 0, "id": 6515 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ffc665a0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 6516 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ffc665a0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc665a7380" } ], "repeated": 0, "id": 6517 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" }, { "name": "Handle", "value": "0x000006ee" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" } ], "repeated": 0, "id": 6518 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000006ee" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000672" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" } ], "repeated": 0, "id": 6519 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 6520 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" } ], "repeated": 0, "id": 6521 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ee" } ], "repeated": 0, "id": 6522 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6523 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6524 }, { "timestamp": "2026-05-28 22:01:57,834", "thread_id": "3700", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6525 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}" }, { "name": "Handle", "value": "0x00000672" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}" } ], "repeated": 0, "id": 6526 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000672" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000006a2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32" } ], "repeated": 0, "id": 6527 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 6528 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a2" } ], "repeated": 0, "id": 6529 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" } ], "repeated": 0, "id": 6530 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000670" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.Package" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package" } ], "repeated": 0, "id": 6531 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000670" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00P\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00P\\x00a\\x00c\\x00k\\x00a\\x00g\\x00e\\x00\\x02\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffbc%N\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00I\\xffe8\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\x08\"*N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff900\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0!*N\\xff92\\x02\\x00\\x00\\xff900\\x1fT\\xff92\\x02\\x00\\x00\\xffb0\\xfffc\\x18T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10*\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffb0\\xfffc\\x18T\\xff92\\x02\\x00\\x00\\xffe05\\x1dT\\xff92\\x02\\x00\\x00\\xffe05\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff900\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00 \\xffa3\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 6532 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType" } ], "repeated": 0, "id": 6533 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server" } ], "repeated": 0, "id": 6534 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath" } ], "repeated": 0, "id": 6535 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading" } ], "repeated": 0, "id": 6536 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel" } ], "repeated": 0, "id": 6537 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000670" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\CustomAttributes" } ], "repeated": 0, "id": 6538 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer" } ], "repeated": 0, "id": 6539 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser" } ], "repeated": 0, "id": 6540 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker" } ], "repeated": 0, "id": 6541 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 6542 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions" } ], "repeated": 0, "id": 6543 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000670" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags" } ], "repeated": 0, "id": 6544 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000670" } ], "repeated": 0, "id": 6545 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6546 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{0450CE77-AF0D-40AC-93FD-1E5D48C89419}" }, { "name": "Handle", "value": "0x00000672" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{0450CE77-AF0D-40AC-93FD-1E5D48C89419}" } ], "repeated": 0, "id": 6547 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000672" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000006a2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32" } ], "repeated": 0, "id": 6548 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 6549 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a2" } ], "repeated": 0, "id": 6550 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000672" } ], "repeated": 0, "id": 6551 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6552 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6553 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6554 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c29692cf", "parentcaller": "0x7ff6c296ccf0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006c8" } ], "repeated": 0, "id": 6555 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c296e6eb", "parentcaller": "0x7ff6c28feae6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x000006c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 6556 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c296e7db", "parentcaller": "0x7ff6c28feae6", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\" }, { "name": "NotifyFilter", "value": "0x00000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 6557 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c296e6eb", "parentcaller": "0x7ff6c28feb43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x000006f4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 6558 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c296e7db", "parentcaller": "0x7ff6c28feb43", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\" }, { "name": "NotifyFilter", "value": "0x00000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 6559 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c296e6eb", "parentcaller": "0x7ff6c28feb99", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x000006fc" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 6560 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c296e7db", "parentcaller": "0x7ff6c28feb99", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\" }, { "name": "NotifyFilter", "value": "0x00000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 6561 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c28febc4", "parentcaller": "0x7ff6c28de10c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6562 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c28febe6", "parentcaller": "0x7ff6c28de10c", "category": "filesystem", "api": "FindFirstChangeNotificationW", "status": true, "return": "0x00000704", "arguments": [ { "name": "PathName", "value": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" }, { "name": "NotifyFilter", "value": "0x00000011" }, { "name": "WatchSubtree", "value": "0" } ], "repeated": 0, "id": 6563 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c28fec26", "parentcaller": "0x7ff6c28de10c", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6564 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "612", "caller": "0x7ff6c28fec3f", "parentcaller": "0x7ff6c28de10c", "category": "filesystem", "api": "FindFirstChangeNotificationW", "status": true, "return": "0x00000708", "arguments": [ { "name": "PathName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" }, { "name": "NotifyFilter", "value": "0x00000011" }, { "name": "WatchSubtree", "value": "0" } ], "repeated": 0, "id": 6565 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 6566 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6567 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "SHCORE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6568 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2792" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6569 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x27d91cb000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xe0\\x96i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\x96i\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc2\\x96i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x0f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf\\xf9\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xbf\\xf9\\xf4}\\x00\\x00\\x00\\x00\\xd3\\xfb\\xf5}\\x00\\x00(\\x02\\xd4\\xfb\\xf5}\\x00\\x00P\\x06\\xd5\\xfb\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00 \\x97i\\x01\\x00\\x00" } ], "repeated": 0, "id": 6570 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x16996e03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "H\\x07\\x00\\x00H\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000>\\xe0\\x96i\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xe0\\x96i\\x01\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00\\xf88\\xe0\\x96i\\x01\\x00\\x00\\xf0'\\xe0\\x96i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00t9\\xe0\\x96i\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb49\\xe0\\x96i\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb69\\xe0\\x96i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6571 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x16996e038f8" }, { "name": "Size", "value": "0x0000007a" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00L\\x00a\\x00n\\x00m\\x00a\\x00n\\x00S\\x00e\\x00r\\x00v\\x00e\\x00r\\x00" } ], "repeated": 0, "id": 6572 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6573 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2792" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6574 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6575 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6576 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000r T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xr T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xr T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\xb1\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6577 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6578 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6579 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2808" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6580 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6581 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2808" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6582 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6583 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2808" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6584 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6585 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6586 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6587 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6588 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6589 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6590 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6591 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6592 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6593 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6594 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6595 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6596 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6597 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6598 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6599 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6600 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6601 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6602 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6603 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2808" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6604 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xfe46071000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2 o\\xe1\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fo\\xe1\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1ao\\xe1\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb3~\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xb3~\\xf4}\\x00\\x00\\x00\\x00\\xc7\\x80\\xf5}\\x00\\x00(\\x02\\xc8\\x80\\xf5}\\x00\\x00P\\x06\\xc9\\x80\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00qo\\xe1\\x02\\x00\\x00" } ], "repeated": 0, "id": 6605 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2e16f203270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "D\\x07\\x00\\x00D\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000> o\\xe1\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88 o\\xe1\\x02\\x00\\x00v\\x00x\\x00\\x00\\x00\\x00\\x00\\xf88 o\\xe1\\x02\\x00\\x00\\xf0' o\\xe1\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00p9 o\\xe1\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb09 o\\xe1\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb29 o\\xe1\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6606 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2e16f2038f8" }, { "name": "Size", "value": "0x00000076" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00W\\x00p\\x00n\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00" } ], "repeated": 0, "id": 6607 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6608 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2808" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6609 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6610 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6611 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000r T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xr T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xr T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00n\\xb2\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6612 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6613 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6614 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2996" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6615 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6616 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2996" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6617 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6618 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2996" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6619 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6620 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6621 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6622 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6623 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6624 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6625 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6626 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6627 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6628 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6629 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6630 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6631 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6632 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6633 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6634 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6635 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6636 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6637 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6638 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2996" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6639 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x24ee144000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2`\\xd0\\xa9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00G\\xd0\\xa9\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\xd0\\xa9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x1f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\xe2\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07s\\xe2\\xf4}\\x00\\x00\\x00\\x00\\x87\\xe4\\xf5}\\x00\\x00(\\x02\\x88\\xe4\\xf5}\\x00\\x00P\\x06\\x89\\xe4\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xa0\\xd0\\xa9\\x01\\x00\\x00" } ], "repeated": 0, "id": 6640 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x1a9d0603270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "P\\x07\\x00\\x00P\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000>`\\xd0\\xa9\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88`\\xd0\\xa9\\x01\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\xf88`\\xd0\\xa9\\x01\\x00\\x00\\xf0'`\\xd0\\xa9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00|9`\\xd0\\xa9\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xbc9`\\xd0\\xa9\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xbe9`\\xd0\\xa9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6641 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x1a9d06038f8" }, { "name": "Size", "value": "0x00000082" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00a\\x00p\\x00p\\x00m\\x00o\\x00d\\x00e\\x00l\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00" } ], "repeated": 0, "id": 6642 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6643 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2996" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6644 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6645 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6646 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000r T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xr T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xr T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\xc2\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6647 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6648 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6649 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3824" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" } ], "repeated": 0, "id": 6650 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6651 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3824" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" } ], "repeated": 0, "id": 6652 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6653 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3824" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" } ], "repeated": 0, "id": 6654 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6655 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6656 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6657 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SearchIndexer.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6658 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SearchIndexer.exe.mui" } ], "repeated": 0, "id": 6659 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6660 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6661 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254730000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 6662 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6663 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x000eb000" } ], "repeated": 0, "id": 6664 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6665 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6666 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SearchIndexer.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6667 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SearchIndexer.exe.mui" } ], "repeated": 0, "id": 6668 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6669 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6670 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254730000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 6671 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6672 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x000eb000" } ], "repeated": 0, "id": 6673 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3824" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" } ], "repeated": 0, "id": 6674 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6675 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3824" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" } ], "repeated": 0, "id": 6676 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x1e75ff0000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xa2\\x81\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00P\\x1a\\x06\\xd1p\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\xd1p\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6\\xd0p\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\x00\\xe1\n\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xe1\n\\xf4}\\x00\\x00\\x00\\x00\\xf5\\x0c\\xf5}\\x00\\x00(\\x02\\xf6\\x0c\\xf5}\\x00\\x00P\\x06\\xf7\\x0c\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x88\\xd1p\\x01\\x00\\x00" } ], "repeated": 0, "id": 6677 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x170d1061a50" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\\x07\\x00\\x00F\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0%\\x06\\xd1p\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\x98 \\x06\\xd1p\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00\\xe4 \\x06\\xd1p\\x01\\x00\\x00\\xa0B\n\\xd1p\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00F!\\x06\\xd1p\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x92!\\x06\\xd1p\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x94!\\x06\\xd1p\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6678 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x170d10620e4" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00S\\x00e\\x00a\\x00r\\x00c\\x00h\\x00I\\x00n\\x00d\\x00e\\x00x\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00 \\x00/\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 6679 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6680 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3824" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchIndexer.exe" } ], "repeated": 0, "id": 6681 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6682 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6683 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000r T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xr T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xr T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00L\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16t\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6684 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6685 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6686 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\sihost.exe" } ], "repeated": 0, "id": 6687 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6688 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\sihost.exe" } ], "repeated": 0, "id": 6689 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6690 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\sihost.exe" } ], "repeated": 0, "id": 6691 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6692 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\sihost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6693 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00021000" } ], "repeated": 0, "id": 6694 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\sihost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6695 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00021000" } ], "repeated": 0, "id": 6696 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\sihost.exe" } ], "repeated": 0, "id": 6697 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xd87af8d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00q\\xbc\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1a\\xc8\\xc2\\xf4\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xc2\\xf4\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xc2\\xf4\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xebs\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xebs\\xf4}\\x00\\x00\\x00\\x00\\xffu\\xf5}\\x00\\x00(\\x02\\x00v\\xf5}\\x00\\x00P\\x06\\x01v\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x0f\\xc3\\xf4\\x01\\x00\\x00" } ], "repeated": 0, "id": 6698 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x1f4c2c81ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xde\\x06\\x00\\x00\\xde\\x06\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00&\\xc8\\xc2\\xf4\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\x08!\\xc8\\xc2\\xf4\\x01\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00F!\\xc8\\xc2\\xf4\\x01\\x00\\x00\\xe0\\x0f\\xc8\\xc2\\xf4\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\!\\xc8\\xc2\\xf4\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x9a!\\xc8\\xc2\\xf4\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x9c!\\xc8\\xc2\\xf4\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6699 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x1f4c2c82146" }, { "name": "Size", "value": "0x00000014" }, { "name": "Buffer", "value": "s\\x00i\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00" } ], "repeated": 0, "id": 6700 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6701 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\sihost.exe" } ], "repeated": 0, "id": 6702 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6703 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6704 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000r T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xr T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xr T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00S\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xac\\xcf\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6705 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6706 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6707 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2464" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6708 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6709 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2464" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6710 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6711 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2464" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6712 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6713 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6714 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6715 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6716 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6717 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6718 }, { "timestamp": "2026-05-28 22:01:57,850", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6719 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6720 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6721 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6722 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6723 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6724 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6725 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6726 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6727 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6728 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6729 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6730 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6731 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2464" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6732 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xb7703fc000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xd02 ,\\xbe\\x01\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00,\\xbe\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb+\\xbe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x0b\\xa6\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x0b\\xa6\\xf4}\\x00\\x00\\x00\\x00\\x1f\\xa8\\xf5}\\x00\\x00(\\x02 \\xa8\\xf5}\\x00\\x00P\\x06!\\xa8\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00`,\\xbe\\x01\\x00\\x00" } ], "repeated": 0, "id": 6733 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x1be2c2032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "X\\x07\\x00\\x00X\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0> ,\\xbe\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x189 ,\\xbe\\x01\\x00\\x00\\x8a\\x00\\x8c\\x00\\x00\\x00\\x00\\x00X9 ,\\xbe\\x01\\x00\\x00\\xf0' ,\\xbe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xe49 ,\\xbe\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00$: ,\\xbe\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00&: ,\\xbe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6734 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x1be2c203958" }, { "name": "Size", "value": "0x0000008a" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00U\\x00n\\x00i\\x00s\\x00t\\x00a\\x00c\\x00k\\x00S\\x00v\\x00c\\x00G\\x00r\\x00o\\x00u\\x00p\\x00 \\x00-\\x00s\\x00 \\x00W\\x00p\\x00n\\x00U\\x00s\\x00e\\x00r\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00" } ], "repeated": 0, "id": 6735 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6736 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2464" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6737 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6738 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6739 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c47a3", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925420d000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6740 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x90\\x17!T\\x92\\x02\\x00\\x00(\\x00(\\x00\\x00\\x00\\x00\\x00\\xe0\\x17!T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00@\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x18!T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x10\\x18!T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x18!T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00C\\x00M\\x00U\\x00s\\x00e\\x00r\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00U\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xd4\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6741 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6742 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6743 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3752" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 6744 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6745 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3752" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 6746 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6747 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3752" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 6748 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6749 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\taskhostw.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6750 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6751 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6752 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" } ], "repeated": 0, "id": 6753 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6754 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6755 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6756 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6757 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 6758 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\taskhostw.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6759 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6760 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6761 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" } ], "repeated": 0, "id": 6762 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6763 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6764 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254660000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6765 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6766 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 6767 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3752" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 6768 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6769 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3752" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 6770 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xa2e0770000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00M{\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1a\\x1f\\x8ef\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x8ef\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x8ef\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x03\\x00\\x00\\x00\\x00\\x00\\x00d\\xfa\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07d\\xfa\\xf4}\\x00\\x00\\x00\\x00x\\xfc\\xf5}\\x00\\x00(\\x02y\\xfc\\xf5}\\x00\\x00P\\x06z\\xfc\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00c\\x8ef\\x02\\x00\\x00" } ], "repeated": 0, "id": 6771 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2668e1f1ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\\\x07\\x00\\x00\\\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x80&\\x1f\\x8ef\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\x08!\\x1f\\x8ef\\x02\\x00\\x00h\\x00j\\x00\\x00\\x00\\x00\\x00L!\\x1f\\x8ef\\x02\\x00\\x00\\x00\\x1e#\\x8ef\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\xb6!\\x1f\\x8ef\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xfa!\\x1f\\x8ef\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1a\"\\x1f\\x8ef\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6772 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2668e1f214c" }, { "name": "Size", "value": "0x00000068" }, { "name": "Buffer", "value": "t\\x00a\\x00s\\x00k\\x00h\\x00o\\x00s\\x00t\\x00w\\x00.\\x00e\\x00x\\x00e\\x00 \\x00{\\x002\\x002\\x002\\x00A\\x002\\x004\\x005\\x00B\\x00-\\x00E\\x006\\x003\\x007\\x00-\\x004\\x00A\\x00E\\x009\\x00-\\x00A\\x009\\x003\\x00F\\x00-\\x00A\\x005\\x009\\x00C\\x00A\\x001\\x001\\x009\\x00A\\x007\\x005\\x00E\\x00}\\x00" } ], "repeated": 0, "id": 6773 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6774 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3752" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 6775 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6776 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6777 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000r T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xr T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xr T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00Z\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\xdf\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6778 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6779 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6780 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "392" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6781 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6782 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "392" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6783 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6784 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "392" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6785 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6786 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6787 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6788 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6789 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6790 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6791 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6792 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6793 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6794 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6795 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6796 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6797 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6798 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6799 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6800 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6801 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6802 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6803 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6804 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "392" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6805 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xe97909000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2 \\x89t\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x89t\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x89t\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x9f\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xc5\\xd5\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xc5\\xd5\\xf4}\\x00\\x00\\x00\\x00\\xd9\\xd7\\xf5}\\x00\\x00(\\x02\\xda\\xd7\\xf5}\\x00\\x00P\\x06\\xdb\\xd7\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00m\\x89t\\x01\\x00\\x00" } ], "repeated": 0, "id": 6806 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x17489203270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "@\\x07\\x00\\x00@\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 > \\x89t\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88 \\x89t\\x01\\x00\\x00r\\x00t\\x00\\x00\\x00\\x00\\x00\\xf88 \\x89t\\x01\\x00\\x00\\xf0' \\x89t\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00l9 \\x89t\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xac9 \\x89t\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xae9 \\x89t\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6807 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x174892038f8" }, { "name": "Size", "value": "0x00000072" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00w\\x00u\\x00a\\x00u\\x00s\\x00e\\x00r\\x00v\\x00" } ], "repeated": 0, "id": 6808 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6809 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "392" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6810 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6811 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6812 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xf1\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6813 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6814 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6815 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4276" } ], "repeated": 0, "id": 6816 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4276" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6817 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6818 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4276" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6819 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6820 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6821 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6822 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6823 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6824 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6825 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6826 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6827 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6828 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6829 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6830 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6831 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6832 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6833 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6834 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6835 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6836 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6837 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6838 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4276" } ], "repeated": 0, "id": 6839 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4276" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6840 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6841 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6842 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00^\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\t\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6843 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6844 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6845 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4484" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6846 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6847 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4484" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6848 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6849 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4484" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6850 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6851 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6852 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6853 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6854 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6855 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6856 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6857 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6858 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6859 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6860 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6861 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6862 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6863 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6864 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6865 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6866 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6867 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6868 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6869 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4484" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6870 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xe4fcb1f000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\x80U*\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00zU*\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00uU*\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x13\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xd8\\x13\\xf4}\\x00\\x00\\x00\\x00\\xec\\x15\\xf5}\\x00\\x00(\\x02\\xed\\x15\\xf5}\\x00\\x00P\\x06\\xee\\x15\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xcdU*\\x02\\x00\\x00" } ], "repeated": 0, "id": 6871 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x22a558032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\\x07\\x00\\x00F\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xb0>\\x80U*\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\x80U*\\x02\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00x9\\x80U*\\x02\\x00\\x00\\xf0'\\x80U*\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf29\\x80U*\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x002:\\x80U*\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x004:\\x80U*\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6872 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x22a55803978" }, { "name": "Size", "value": "0x00000078" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00C\\x00D\\x00P\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 6873 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6874 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4484" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6875 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6876 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6877 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd84\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6878 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6879 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6880 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c205c", "parentcaller": "0x7ff6c28c01b5", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254216000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6881 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4728" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6882 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6883 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4728" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6884 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6885 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4728" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6886 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6887 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6888 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6889 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6890 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6891 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6892 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6893 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6894 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6895 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6896 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6897 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 6898 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 6899 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000006ac" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 6900 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000006a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6901 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6902 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 6903 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6904 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 6905 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4728" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6906 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xfa38ba6000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xa0\\xdb)\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x94\\xdb)\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8f\\xdb)\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbb*\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xbb*\\xf4}\\x00\\x00\\x00\\x00\\xcf,\\xf5}\\x00\\x00(\\x02\\xd0,\\xf5}\\x00\\x00P\\x06\\xd1,\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xed\\xdb)\\x02\\x00\\x00" } ], "repeated": 0, "id": 6907 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x229dba03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ">\\x07\\x00\\x00>\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\xa0\\xdb)\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xa0\\xdb)\\x02\\x00\\x00p\\x00r\\x00\\x00\\x00\\x00\\x00\\xf88\\xa0\\xdb)\\x02\\x00\\x00\\xf0'\\xa0\\xdb)\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00j9\\xa0\\xdb)\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9\\xa0\\xdb)\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xac9\\xa0\\xdb)\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6908 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x229dba038f8" }, { "name": "Size", "value": "0x00000070" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00a\\x00p\\x00p\\x00m\\x00o\\x00d\\x00e\\x00l\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00c\\x00a\\x00m\\x00s\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 6909 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6910 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4728" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 6911 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6912 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6913 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8d\\x7f\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6914 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6915 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6916 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3060" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" } ], "repeated": 0, "id": 6917 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6918 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3060" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" } ], "repeated": 0, "id": 6919 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6920 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3060" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" } ], "repeated": 0, "id": 6921 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6922 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6923 }, { "timestamp": "2026-05-28 22:01:57,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0006b000" } ], "repeated": 0, "id": 6924 }, { "timestamp": "2026-05-28 22:01:57,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254640002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 6925 }, { "timestamp": "2026-05-28 22:01:57,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "RegionSize", "value": "0x0006b000" } ], "repeated": 0, "id": 6926 }, { "timestamp": "2026-05-28 22:01:57,881", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3060" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" } ], "repeated": 0, "id": 6927 }, { "timestamp": "2026-05-28 22:01:57,881", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6928 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3060" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" } ], "repeated": 0, "id": 6929 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0xab1cfaa000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x94\\x16\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1aR\\\\x83\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\\\x83\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00;\\\\x83\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b:\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x1b:\\xf4}\\x00\\x00\\x00\\x00/<\\xf5}\\x00\\x00(\\x020<\\xf5}\\x00\\x00P\\x061<\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00b\\\\x83\\x02\\x00\\x00" } ], "repeated": 0, "id": 6930 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2835c521ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\"\n\\x00\\x00\"\n\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00@)R\\\\x83\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00V\\x00\\x00\\x00\\x00\\x00\\x08!R\\\\x83\\x02\\x00\\x00(\\x03*\\x03\\x00\\x00\\x00\\x00^!R\\\\x83\\x02\\x00\\x00\\xe0\\x0fR\\\\x83\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00V\\x00\\x00\\x00\\x00\\x00\\x88$R\\\\x83\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xde$R\\\\x83\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe0$R\\\\x83\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6931 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "BaseAddress", "value": "0x2835c52215e" }, { "name": "Size", "value": "0x00000328" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00S\\x00e\\x00a\\x00r\\x00c\\x00h\\x00P\\x00r\\x00o\\x00t\\x00o\\x00c\\x00o\\x00l\\x00H\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00G\\x00l\\x00o\\x00b\\x00a\\x00l\\x00\\\\x00U\\x00s\\x00G\\x00t\\x00h\\x00r\\x00F\\x00l\\x00t\\x00P\\x00i\\x00p\\x00e\\x00M\\x00s\\x00s\\x00G\\x00t\\x00h\\x00r\\x00P\\x00i\\x00p\\x00e\\x00_\\x00S\\x00-\\x001\\x00-\\x005\\x00-\\x002\\x001\\x00-\\x003\\x009\\x006\\x008\\x006\\x008\\x006\\x000\\x004\\x000\\x00-\\x003\\x002\\x001\\x000\\x002\\x007\\x009\\x004\\x006\\x003\\x00-\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x000\\x000\\x001\\x001\\x00_\\x00 \\x00G\\x00l\\x00o\\x00" } ], "repeated": 0, "id": 6932 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6933 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3060" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchProtocolHost.exe" } ], "repeated": 0, "id": 6934 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6935 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6936 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x80\\xc1\\x1cT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xa8\\xc1\\x1cT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xc1\\x1cT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc6\\x11\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6937 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6938 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6939 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5152" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe" } ], "repeated": 0, "id": 6940 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6941 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5152" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe" } ], "repeated": 0, "id": 6942 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000006ac" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000006a8" } ], "repeated": 0, "id": 6943 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 6944 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c47a3", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925421f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6945 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\xef!T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xb0\\xef!T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xef!T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\"\\xf1!T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xf1!T\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\xf1!T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf1!T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\xf1!T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf1!T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\xae\\x00\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\xf0!T\\x92\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xae\\xf0!T\\x92\\x02\\x00\\x00n\\x00n\\x00\\x00\\x00\\x00\\x00\\xb4\\xf0!T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 6946 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006a8" } ], "repeated": 0, "id": 6947 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000006ac" } ], "repeated": 0, "id": 6948 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Bcp47Langs" }, { "name": "DllBase", "value": "0x7ffc6a640000" } ], "repeated": 0, "id": 6949 }, { "timestamp": "2026-05-28 22:01:57,928", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\sppc" }, { "name": "DllBase", "value": "0x7ffc741c0000" } ], "repeated": 0, "id": 6950 }, { "timestamp": "2026-05-28 22:01:57,959", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SLC" }, { "name": "DllBase", "value": "0x7ffc741f0000" } ], "repeated": 0, "id": 6951 }, { "timestamp": "2026-05-28 22:01:57,959", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\USERENV" }, { "name": "DllBase", "value": "0x7ffc75560000" } ], "repeated": 0, "id": 6952 }, { "timestamp": "2026-05-28 22:01:57,959", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\appresolver" }, { "name": "DllBase", "value": "0x7ffc610f0000" } ], "repeated": 0, "id": 6953 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\appresolver.dll" }, { "name": "BaseAddress", "value": "0x7ffc610f0000" } ], "repeated": 0, "id": 6954 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 6955 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c857d", "parentcaller": "0x7ff6c28c0941", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6956 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6957 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 1, "id": 6958 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3" } ], "repeated": 0, "id": 6959 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000724" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro" } ], "repeated": 0, "id": 6960 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000724" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254640000" }, { "name": "SectionOffset", "value": "0xf09ddfd310" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6961 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000728" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db" } ], "repeated": 0, "id": 6962 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000728" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254650000" }, { "name": "SectionOffset", "value": "0xf09ddfe270" }, { "name": "ViewSize", "value": "0x00014000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6963 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000c09", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000c09" }, { "name": "LanguageName", "value": "English (Australia)" } ], "repeated": 0, "id": 6964 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xc9\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6965 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000072c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 6966 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000072c" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000730" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" } ], "repeated": 0, "id": 6967 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000730" }, { "name": "SubKey", "value": "Control Panel\\International\\User Profile" }, { "name": "Handle", "value": "0x00000734" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile" } ], "repeated": 0, "id": 6968 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000072c" } ], "repeated": 0, "id": 6969 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" }, { "name": "ValueName", "value": "Languages" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 6970 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" }, { "name": "ValueName", "value": "Languages" }, { "name": "Data", "value": "\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 6971 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a698000" }, { "name": "ModuleName", "value": "Bcp47Langs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6972 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a698000" }, { "name": "ModuleName", "value": "Bcp47Langs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6973 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" } ], "repeated": 0, "id": 6974 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 6975 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 6976 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000730" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 6977 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000734" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000730" }, { "name": "ObjectAttributesName", "value": "Control Panel\\International\\Geo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo" } ], "repeated": 0, "id": 6978 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 6979 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000734" }, { "name": "ValueName", "value": "Nation" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "12" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation" } ], "repeated": 0, "id": 6980 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" } ], "repeated": 0, "id": 6981 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6982 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6983 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000734" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 6984 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000734" }, { "name": "SubKey", "value": "{1E87508D-89C2-42F0-8A7E-645A0F50CA58}" }, { "name": "Handle", "value": "0x00000730" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1E87508D-89C2-42F0-8A7E-645A0F50CA58}" } ], "repeated": 0, "id": 6985 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" } ], "repeated": 0, "id": 6986 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category" } ], "repeated": 0, "id": 6987 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "AppsFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name" } ], "repeated": 0, "id": 6988 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder" } ], "repeated": 0, "id": 6989 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description" } ], "repeated": 0, "id": 6990 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath" } ], "repeated": 0, "id": 6991 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "Data", "value": "shell:::{4234d49b-0245-4df3-b780-3893943456e1}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName" } ], "repeated": 0, "id": 6992 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip" } ], "repeated": 0, "id": 6993 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName" } ], "repeated": 0, "id": 6994 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon" } ], "repeated": 0, "id": 6995 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security" } ], "repeated": 0, "id": 6996 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource" } ], "repeated": 0, "id": 6997 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType" } ], "repeated": 0, "id": 6998 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly" } ], "repeated": 0, "id": 6999 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable" } ], "repeated": 0, "id": 7000 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate" } ], "repeated": 0, "id": 7001 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream" } ], "repeated": 0, "id": 7002 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath" } ], "repeated": 0, "id": 7003 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags" } ], "repeated": 0, "id": 7004 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes" } ], "repeated": 0, "id": 7005 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID" } ], "repeated": 0, "id": 7006 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler" } ], "repeated": 0, "id": 7007 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000730" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PropertyBag" } ], "repeated": 0, "id": 7008 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7009 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7010 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7011 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000730" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 7012 }, { "timestamp": "2026-05-28 22:01:57,975", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 7013 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7014 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7015 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7016 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000730" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 7017 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 7018 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7019 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}" }, { "name": "Handle", "value": "0x00000732" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}" } ], "repeated": 0, "id": 7020 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000732" }, { "name": "ValueName", "value": "SortOrderIndex" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\SortOrderIndex" } ], "repeated": 0, "id": 7021 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000732" } ], "repeated": 0, "id": 7022 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" }, { "name": "Handle", "value": "0x00000732" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" } ], "repeated": 0, "id": 7023 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000732" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "537919488" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\Attributes" } ], "repeated": 0, "id": 7024 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000732" }, { "name": "ValueName", "value": "CallForAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\CallForAttributes" } ], "repeated": 0, "id": 7025 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000732" }, { "name": "ValueName", "value": "RestrictedAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\RestrictedAttributes" } ], "repeated": 0, "id": 7026 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000732" }, { "name": "ValueName", "value": "FolderValueFlags" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\FolderValueFlags" } ], "repeated": 0, "id": 7027 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000732" } ], "repeated": 0, "id": 7028 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" } ], "repeated": 0, "id": 7029 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" } ], "repeated": 0, "id": 7030 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 7031 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "Handle", "value": "0x00000730" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 7032 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "{4234D49B-0245-4DF3-B780-3893943456E1}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{4234D49B-0245-4DF3-B780-3893943456E1}" } ], "repeated": 0, "id": 7033 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7034 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{4234D49B-0245-4DF3-B780-3893943456E1}" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{4234D49B-0245-4DF3-B780-3893943456E1}" } ], "repeated": 0, "id": 7035 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{4234D49B-0245-4DF3-B780-3893943456E1}" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{4234D49B-0245-4DF3-B780-3893943456E1}" } ], "repeated": 0, "id": 7036 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{4234D49B-0245-4DF3-B780-3893943456E1}" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{4234D49B-0245-4DF3-B780-3893943456E1}" } ], "repeated": 0, "id": 7037 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000730" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 7038 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "PreXPSP2ShellProtocolBehavior" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreXPSP2ShellProtocolBehavior" } ], "repeated": 0, "id": 7039 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7040 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 7041 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7042 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\Instance" } ], "repeated": 0, "id": 7043 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 7044 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 7045 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 7046 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\Instance" } ], "repeated": 0, "id": 7047 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000730" } ], "repeated": 0, "id": 7048 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 7049 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 7050 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7051 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Classes\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\InProcServer32" }, { "name": "Handle", "value": "0x00000730" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\InProcServer32" } ], "repeated": 0, "id": 7052 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\appresolver.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 7053 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000730" }, { "name": "ValueName", "value": "LoadWithoutCOM" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\LoadWithoutCOM" } ], "repeated": 0, "id": 7054 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7055 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 7056 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked" } ], "repeated": 0, "id": 7057 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 7058 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "apphelp.dll" } ], "repeated": 0, "id": 7059 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\apphelp.dll" } ], "repeated": 0, "id": 7060 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000730" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\apphelp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7061 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000734" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000730" }, { "name": "FileName", "value": "C:\\Windows\\System32\\apphelp.dll" } ], "repeated": 0, "id": 7062 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000734" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ef0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00090000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7063 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72f41000" }, { "name": "ModuleName", "value": "apphelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7064 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72f41000" }, { "name": "ModuleName", "value": "apphelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7065 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72f41000" }, { "name": "ModuleName", "value": "apphelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7066 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72f41000" }, { "name": "ModuleName", "value": "apphelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7067 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72f40000" }, { "name": "ModuleName", "value": "apphelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7068 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" } ], "repeated": 0, "id": 7069 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7070 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72f40000" }, { "name": "ModuleName", "value": "apphelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7071 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\apphelp" }, { "name": "DllBase", "value": "0x7ffc72ef0000" } ], "repeated": 0, "id": 7072 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 7073 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77fd0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 7074 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlGetNtSystemRoot" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fe6bb0" } ], "repeated": 0, "id": 7075 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000730" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags" } ], "repeated": 0, "id": 7076 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000730" }, { "name": "ValueName", "value": "LogFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags" } ], "repeated": 0, "id": 7077 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000730" } ], "repeated": 0, "id": 7078 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254222000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7079 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-eventing-provider-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 7080 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "EventSetInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012af0" } ], "repeated": 0, "id": 7081 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\apphelp" }, { "name": "BaseAddress", "value": "0x7ffc72ef0000" }, { "name": "InitRoutine", "value": "0x7ffc72f00960" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 7082 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7083 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7084 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000734" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32" } ], "repeated": 0, "id": 7085 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000734" }, { "name": "ValueName", "value": "" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "C:\\Windows\\System32\\appresolver.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 7086 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" } ], "repeated": 0, "id": 7087 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "appresolver.dll" }, { "name": "ModuleHandle", "value": "0x7ffc610f0000" } ], "repeated": 0, "id": 7088 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" }, { "name": "Handle", "value": "0x00000736" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder" } ], "repeated": 0, "id": 7089 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000736" } ], "repeated": 0, "id": 7090 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7091 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000278" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7092 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000734" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000278" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached" } ], "repeated": 0, "id": 7093 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" }, { "name": "ValueName", "value": "{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF" }, { "name": "Data", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x13\\xde\\x02\\xb0\\xb6\\xee\\xdc\\x01" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF" } ], "repeated": 0, "id": 7094 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000734" } ], "repeated": 0, "id": 7095 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4234D49B-0245-4DF3-B780-3893943456E1" }, { "name": "ClsContext", "value": "0x00000401", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "000214E6-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7096 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{4234D49B-0245-4DF3-B780-3893943456E1}" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{4234D49B-0245-4DF3-B780-3893943456E1}" } ], "repeated": 0, "id": 7097 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "660B90C8-73A9-4B58-8CAE-355B7F55341B" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "02C5CCF3-805F-4654-A7B7-340A74335365" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7098 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7099 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 1, "id": 7100 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3" } ], "repeated": 0, "id": 7101 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000072c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro" } ], "repeated": 0, "id": 7102 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000072c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254670000" }, { "name": "SectionOffset", "value": "0xf09ddfce00" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7103 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000738" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db" } ], "repeated": 0, "id": 7104 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000738" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254680000" }, { "name": "SectionOffset", "value": "0xf09ddfdd60" }, { "name": "ViewSize", "value": "0x00014000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7105 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000c09", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000c09" }, { "name": "LanguageName", "value": "English (Australia)" } ], "repeated": 0, "id": 7106 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xb9\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7107 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7108 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" } ], "repeated": 0, "id": 7109 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Control Panel\\International\\User Profile" }, { "name": "Handle", "value": "0x00000744" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile" } ], "repeated": 0, "id": 7110 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 7111 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Languages" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 7112 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Languages" }, { "name": "Data", "value": "\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 7113 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7114 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7115 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00j\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7116 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7117 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000740" }, { "name": "ObjectAttributesName", "value": "Control Panel\\International\\Geo" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo" } ], "repeated": 0, "id": 7118 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7119 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "ValueName", "value": "Nation" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "12" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation" } ], "repeated": 0, "id": 7120 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7121 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 7122 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 7123 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 7124 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 7125 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 7126 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000748" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 7127 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000750" } ], "repeated": 0, "id": 7128 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000074c" } ], "repeated": 0, "id": 7129 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000748" } ], "repeated": 0, "id": 7130 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 7131 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 7132 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000750" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.Tiles.TileStore" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore" } ], "repeated": 0, "id": 7133 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000750" }, { "name": "KeyInformation", "value": "7_\\xffea\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00@\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00T\\x00i\\x00l\\x00e\\x00s\\x00.\\x00T\\x00i\\x00l\\x00e\\x00S\\x00t\\x00o\\x00r\\x00e\\x002\\x004\\x00\\x00\\x00\\x00\\x00k\\xffb8\\xffffw\\xfffc\\x7f\\x00\\x001\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffa8\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\xffe9\\xffe7\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xfffc!T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffe8\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x0000\\x1dT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xfffc!T\\xff92\\x02\\x00\\x0000\\x1dT\\xff92\\x02\\x00\\x00\\xfff0\\xfff7\\xffebS\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10<\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xfff0\\xfff7\\xffebS\\xff92\\x02\\x00\\x00@,\\x1dT\\xff92\\x02\\x00\\x00@,\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0000\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00\\xffd0\\xffac\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7134 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivationType" } ], "repeated": 0, "id": 7135 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Server" } ], "repeated": 0, "id": 7136 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\TileDataRepository.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\DllPath" } ], "repeated": 0, "id": 7137 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Threading" } ], "repeated": 0, "id": 7138 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\TrustLevel" } ], "repeated": 0, "id": 7139 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000750" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\CustomAttributes" } ], "repeated": 0, "id": 7140 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\RemoteServer" } ], "repeated": 0, "id": 7141 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateAsUser" } ], "repeated": 0, "id": 7142 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInSharedBroker" } ], "repeated": 0, "id": 7143 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 7144 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Permissions" } ], "repeated": 0, "id": 7145 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000750" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7146 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000750" } ], "repeated": 0, "id": 7147 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\StateRepository.Core" }, { "name": "DllBase", "value": "0x7ffc6ab30000" } ], "repeated": 0, "id": 7148 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepository" }, { "name": "DllBase", "value": "0x7ffc6ac50000" } ], "repeated": 0, "id": 7149 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\TileDataRepository" }, { "name": "DllBase", "value": "0x7ffc61260000" } ], "repeated": 0, "id": 7150 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\TileDataRepository.dll" }, { "name": "BaseAddress", "value": "0x7ffc61260000" } ], "repeated": 0, "id": 7151 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc61260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\TileDataRepository.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 7152 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "TileDataRepository.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61260000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6127cbe0" } ], "repeated": 0, "id": 7153 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "TileDataRepository.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61260000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6126cfe0" } ], "repeated": 0, "id": 7154 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "TileDataRepository.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61260000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61261270" } ], "repeated": 0, "id": 7155 }, { "timestamp": "2026-05-28 22:01:57,990", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7156 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc6127ab6e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 7157 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6126fde9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 7158 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc612f5000" }, { "name": "ModuleName", "value": "TileDataRepository.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7159 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc612f5000" }, { "name": "ModuleName", "value": "TileDataRepository.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7160 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7161 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xf8\\xebS\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 7162 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.User" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User" } ], "repeated": 0, "id": 7163 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00J\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00U\\x00s\\x00e\\x00r\\x00\\xffffw\\xfffc\\x7f\\x00\\x001\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffa8\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\xffb9\\xffe3\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xffd8\r\"T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffe4\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90A\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\r\"T\\xff92\\x02\\x00\\x00\\xff90A\\x1fT\\xff92\\x02\\x00\\x00\\xfff0\\xfff7\\xffebS\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x105\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xfff0\\xfff7\\xffebS\\xff92\\x02\\x00\\x00P/\\x1dT\\xff92\\x02\\x00\\x00P/\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90A\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00\\xffd0\\xffac\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7164 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivationType" } ], "repeated": 0, "id": 7165 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Server" } ], "repeated": 0, "id": 7166 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\DllPath" } ], "repeated": 0, "id": 7167 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Threading" } ], "repeated": 0, "id": 7168 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\TrustLevel" } ], "repeated": 0, "id": 7169 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\CustomAttributes" } ], "repeated": 0, "id": 7170 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\RemoteServer" } ], "repeated": 0, "id": 7171 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateAsUser" } ], "repeated": 0, "id": 7172 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInSharedBroker" } ], "repeated": 0, "id": 7173 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 7174 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Permissions" } ], "repeated": 0, "id": 7175 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000754" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7176 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7177 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254229000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7178 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925422a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7179 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7180 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{84103CCB-2FD7-4D6C-962E-5D8582B4C720}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{84103CCB-2FD7-4D6C-962E-5D8582B4C720}" } ], "repeated": 0, "id": 7181 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7182 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7183 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7184 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7185 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925422b000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7186 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7187 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{5232F8EA-49C7-4840-BFBB-66E785689E88}" }, { "name": "Handle", "value": "0x00000746" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{5232F8EA-49C7-4840-BFBB-66E785689E88}" } ], "repeated": 0, "id": 7188 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000746" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000742" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7189 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7190 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" } ], "repeated": 0, "id": 7191 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" } ], "repeated": 0, "id": 7192 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.TileView" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView" } ], "repeated": 0, "id": 7193 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00R\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00T\\x00i\\x00l\\x00e\\x00V\\x00i\\x00e\\x00w\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffa8\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\xffb9\\xffe3\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xff98\\xfff9!T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffe4\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\x10'\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xfff9!T\\xff92\\x02\\x00\\x00\\x10'\\x1fT\\xff92\\x02\\x00\\x00\\xffd0\\xffa4\"T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff90?\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffd0\\xffa4\"T\\xff92\\x02\\x00\\x00\\xffe0.\\x1dT\\xff92\\x02\\x00\\x00\\xffe0.\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00\\xff90\\xffb0\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7194 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivationType" } ], "repeated": 0, "id": 7195 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Server" } ], "repeated": 0, "id": 7196 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\DllPath" } ], "repeated": 0, "id": 7197 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Threading" } ], "repeated": 0, "id": 7198 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\TrustLevel" } ], "repeated": 0, "id": 7199 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000744" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\CustomAttributes" } ], "repeated": 0, "id": 7200 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\RemoteServer" } ], "repeated": 0, "id": 7201 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateAsUser" } ], "repeated": 0, "id": 7202 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInSharedBroker" } ], "repeated": 0, "id": 7203 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 7204 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Permissions" } ], "repeated": 0, "id": 7205 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7206 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7207 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78041963", "parentcaller": "0x7ffc780418a2", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e033000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7208 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7209 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{6D3BC882-23A4-4706-B8FA-FC7DE2FC325D}" }, { "name": "Handle", "value": "0x00000746" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6D3BC882-23A4-4706-B8FA-FC7DE2FC325D}" } ], "repeated": 0, "id": 7210 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000746" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000742" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7211 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7212 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" } ], "repeated": 0, "id": 7213 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" } ], "repeated": 0, "id": 7214 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7215 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254230000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7216 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7217 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7218 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.Tiles.TileQueryFilter" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter" } ], "repeated": 0, "id": 7219 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "KeyInformation", "value": "7_\\xffea\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00L\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00T\\x00i\\x00l\\x00e\\x00s\\x00.\\x00T\\x00i\\x00l\\x00e\\x00Q\\x00u\\x00e\\x00r\\x00y\\x00F\\x00i\\x00l\\x00t\\x00e\\x00r\\x00\\xfffc\\x7f\\x00\\x000\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffa8\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00I\\xffec\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xffc8\\xfff6!T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffed\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\x10E\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\xfff6!T\\xff92\\x02\\x00\\x00\\x10E\\x1fT\\xff92\\x02\\x00\\x00\\xff90\\xffa4\"T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10=\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xff90\\xffa4\"T\\xff92\\x02\\x00\\x00\\xffe0.\\x1dT\\xff92\\x02\\x00\\x00\\xffe0.\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10E\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00 \\xffad\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffee\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffee\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7220 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivationType" } ], "repeated": 0, "id": 7221 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Server" } ], "repeated": 0, "id": 7222 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\TileDataRepository.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\DllPath" } ], "repeated": 0, "id": 7223 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Threading" } ], "repeated": 0, "id": 7224 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\TrustLevel" } ], "repeated": 0, "id": 7225 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000744" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\CustomAttributes" } ], "repeated": 0, "id": 7226 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\RemoteServer" } ], "repeated": 0, "id": 7227 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateAsUser" } ], "repeated": 0, "id": 7228 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInSharedBroker" } ], "repeated": 0, "id": 7229 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 7230 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Permissions" } ], "repeated": 0, "id": 7231 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7232 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7233 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9db75", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7234 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.TileViewQueryFilter" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter" } ], "repeated": 0, "id": 7235 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00h\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00T\\x00i\\x00l\\x00e\\x00V\\x00i\\x00e\\x00w\\x00Q\\x00u\\x00e\\x00r\\x00y\\x00F\\x00i\\x00l\\x00t\\x00e\\x00r\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\t\\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xff88\\x06\"T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00p\\xfff9!T\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x06\"T\\xff92\\x02\\x00\\x00p\\xfff9!T\\xff92\\x02\\x00\\x00\\x10\\xffa5\"T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff90,\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x10\\xffa5\"T\\xff92\\x02\\x00\\x00\\xffa0\\xffea\"T\\xff92\\x02\\x00\\x00\\xffa0\\xffea\"T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xfff9!T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00\\xff90\\xffb0\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7236 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivationType" } ], "repeated": 0, "id": 7237 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Server" } ], "repeated": 0, "id": 7238 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\DllPath" } ], "repeated": 0, "id": 7239 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Threading" } ], "repeated": 0, "id": 7240 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\TrustLevel" } ], "repeated": 0, "id": 7241 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000744" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\CustomAttributes" } ], "repeated": 0, "id": 7242 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\RemoteServer" } ], "repeated": 0, "id": 7243 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateAsUser" } ], "repeated": 0, "id": 7244 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInSharedBroker" } ], "repeated": 0, "id": 7245 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 7246 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Permissions" } ], "repeated": 0, "id": 7247 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7248 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7249 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254231000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7250 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7251 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9db75", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7252 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{E3DD5D31-892E-4AD6-9CE9-8FE1F185047B}" }, { "name": "Handle", "value": "0x00000746" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{E3DD5D31-892E-4AD6-9CE9-8FE1F185047B}" } ], "repeated": 0, "id": 7253 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000746" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000742" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e3dd5d31-892e-4ad6-9ce9-8fe1f185047b}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7254 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e3dd5d31-892e-4ad6-9ce9-8fe1f185047b}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7255 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" } ], "repeated": 0, "id": 7256 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" } ], "repeated": 0, "id": 7257 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{6A905A4B-CD66-5C7C-AB57-F5EB16C97257}" }, { "name": "Handle", "value": "0x00000746" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6A905A4B-CD66-5C7C-AB57-F5EB16C97257}" } ], "repeated": 0, "id": 7258 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000746" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000742" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6a905a4b-cd66-5c7c-ab57-f5eb16c97257}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7259 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6a905a4b-cd66-5c7c-ab57-f5eb16c97257}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7260 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" } ], "repeated": 0, "id": 7261 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" } ], "repeated": 0, "id": 7262 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{2BE22368-4C98-5E9F-AC2B-DE493C0C3E43}" }, { "name": "Handle", "value": "0x00000746" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{2BE22368-4C98-5E9F-AC2B-DE493C0C3E43}" } ], "repeated": 0, "id": 7263 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000746" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000742" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2be22368-4c98-5e9f-ac2b-de493c0c3e43}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7264 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2be22368-4c98-5e9f-ac2b-de493c0c3e43}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7265 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" } ], "repeated": 0, "id": 7266 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" } ], "repeated": 0, "id": 7267 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{F502008F-7A0E-5757-8E65-EBAD2E5A0E21}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{F502008F-7A0E-5757-8E65-EBAD2E5A0E21}" } ], "repeated": 0, "id": 7268 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{f502008f-7a0e-5757-8e65-ebad2e5a0e21}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7269 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{f502008f-7a0e-5757-8e65-ebad2e5a0e21}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7270 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7271 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7272 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{19AD9E30-89F3-48F6-9C50-E34A59494544}" }, { "name": "Handle", "value": "0x00000746" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{19AD9E30-89F3-48F6-9C50-E34A59494544}" } ], "repeated": 0, "id": 7273 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000746" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000742" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{19ad9e30-89f3-48f6-9c50-e34a59494544}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7274 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{19ad9e30-89f3-48f6-9c50-e34a59494544}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7275 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000742" } ], "repeated": 0, "id": 7276 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" } ], "repeated": 0, "id": 7277 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{8A43ED9F-F4E6-4421-ACF9-1DAB2986820C}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8A43ED9F-F4E6-4421-ACF9-1DAB2986820C}" } ], "repeated": 0, "id": 7278 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8a43ed9f-f4e6-4421-acf9-1dab2986820c}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7279 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8a43ed9f-f4e6-4421-acf9-1dab2986820c}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7280 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7281 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7282 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 7283 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7284 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7285 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xc5\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00P\\xc6\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7286 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 7287 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7288 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000756" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 7289 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7290 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000756" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7291 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 7292 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Ptype_PSFactory" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 7293 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocServer32" } ], "repeated": 0, "id": 7294 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 7295 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 7296 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 7297 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 7298 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7299 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7300 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7301 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc3\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xe0\\xc4\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7302 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 7303 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7304 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000756" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 7305 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7306 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7307 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc3\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xe0\\xc4\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7308 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 7309 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7310 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000756" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 7311 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7312 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 7313 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7314 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7315 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xc2\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x10\\xc3\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7316 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 7317 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7318 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000756" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 7319 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7320 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000756" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7321 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 7322 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Ptype_PSFactory" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)" } ], "repeated": 0, "id": 7323 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocServer32" } ], "repeated": 0, "id": 7324 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 7325 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 7326 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 7327 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 7328 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7329 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7330 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7331 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xa0\\xc1\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7332 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 7333 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7334 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000756" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32" } ], "repeated": 0, "id": 7335 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7336 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7337 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xa0\\xc1\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7338 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 7339 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7340 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000756" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler" } ], "repeated": 0, "id": 7341 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer32" } ], "repeated": 0, "id": 7342 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000756" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID" } ], "repeated": 0, "id": 7343 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 7344 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7345 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xbf\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00V\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xe0\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7346 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer" } ], "repeated": 0, "id": 7347 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000756" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7348 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000756" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer" } ], "repeated": 0, "id": 7349 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 7350 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000075a" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\Elevation" } ], "repeated": 0, "id": 7351 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7352 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7353 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}" } ], "repeated": 0, "id": 7354 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs" } ], "repeated": 0, "id": 7355 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7356 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "BaseAddress", "value": "0x7ffc71ec0000" } ], "repeated": 0, "id": 7357 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc71ec0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 7358 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ffc71ec0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc71ec9590" } ], "repeated": 0, "id": 7359 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ffc71ec0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc71ec90f0" } ], "repeated": 0, "id": 7360 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ffc71ec0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc71ed47b0" } ], "repeated": 0, "id": 7361 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7362 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7363 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}" } ], "repeated": 0, "id": 7364 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7365 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7366 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7367 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7368 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{195F5943-0C04-4EAB-B907-735817FDAC77}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{195F5943-0C04-4EAB-B907-735817FDAC77}" } ], "repeated": 0, "id": 7369 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000075a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7370 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7371 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075a" } ], "repeated": 0, "id": 7372 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7373 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 7374 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "windows.staterepositorycore.dll" } ], "repeated": 0, "id": 7375 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\windows.staterepositorycore.dll" } ], "repeated": 0, "id": 7376 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802fa80", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.staterepositorycore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7377 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802fa80", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000754" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryCore.dll" } ], "repeated": 0, "id": 7378 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000758" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6a0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00011000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7379 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6a9000" }, { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7380 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6a9000" }, { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7381 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6a9000" }, { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7382 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6a9000" }, { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7383 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6a9000" }, { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7384 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7385 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7386 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6a9000" }, { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7387 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.staterepositorycore" }, { "name": "DllBase", "value": "0x7ffc6a6a0000" } ], "repeated": 0, "id": 7388 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\Windows.StateRepositoryCore" }, { "name": "BaseAddress", "value": "0x7ffc6a6a0000" }, { "name": "InitRoutine", "value": "0x7ffc6a6a3900" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 7389 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7597b000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7390 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7597b000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7391 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000754" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7392 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000744" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7393 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7394 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7395 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7396 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7397 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xa3\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00r\\x00i\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 7398 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7597b000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7399 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7597b000" }, { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7400 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 7401 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 7402 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7403 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1f" } ], "repeated": 0, "id": 7404 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1f" } ], "repeated": 0, "id": 7405 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7406 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 7407 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink" } ], "repeated": 0, "id": 7408 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7409 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7410 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7411 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000754" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7412 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000744" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7413 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7414 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7415 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7416 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7417 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xa7\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00M\\x00D\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 7418 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 7419 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 7420 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7421 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1f" } ], "repeated": 0, "id": 7422 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1f" } ], "repeated": 0, "id": 7423 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7424 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 7425 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink" } ], "repeated": 0, "id": 7426 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7427 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7428 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7429 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{1B0D3570-0877-5EC2-8A2C-3B9539506ACA}" }, { "name": "Handle", "value": "0x00000756" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1B0D3570-0877-5EC2-8A2C-3B9539506ACA}" } ], "repeated": 0, "id": 7430 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000756" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000746" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1b0d3570-0877-5ec2-8a2c-3b9539506aca}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7431 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1b0d3570-0877-5ec2-8a2c-3b9539506aca}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7432 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000746" } ], "repeated": 0, "id": 7433 }, { "timestamp": "2026-05-28 22:01:58,006", "thread_id": "3700", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000756" } ], "repeated": 0, "id": 7434 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7435 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71ffd000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7436 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71ffd000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7437 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 7438 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7439 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7440 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756edf8a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 7441 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756edf8a", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77fd0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 7442 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc756edfa1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlIsStateSeparationEnabled" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78048560" } ], "repeated": 0, "id": 7443 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7444 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7445 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7446 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756c26e8", "parentcaller": "0x7ffc756c279b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xef\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00r\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00S\\x00t\\x00a\\x00r\\x00t\\x00M\\x00e\\x00n\\x00u\\x00E\\x00x\\x00p\\x00e\\x00r\\x00i\\x00e\\x00n\\x00c\\x00e\\x00H\\x00" } ], "repeated": 0, "id": 7447 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7448 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7449 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7450 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000754" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7451 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000744" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000754" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7452 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756c4086", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7453 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756c40c3", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000744" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\PackageStatus" } ], "repeated": 0, "id": 7454 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756c40d4", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000744" } ], "repeated": 0, "id": 7455 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7456 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MrmCoreR" }, { "name": "DllBase", "value": "0x7ffc6a120000" } ], "repeated": 0, "id": 7457 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\MrmCoreR.dll" }, { "name": "BaseAddress", "value": "0x7ffc6a120000" } ], "repeated": 0, "id": 7458 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc61105d4a", "parentcaller": "0x7ffc6110618f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7459 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdc16", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000758" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7460 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000075c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7461 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000760" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7462 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7463 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 7464 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000760" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7465 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin" } ], "repeated": 0, "id": 7466 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 7467 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756bdcce", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 7468 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756bdcce", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7469 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7470 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7471 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7472 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7473 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78006798", "parentcaller": "0x7ffc7572ad43", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7474 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7572ad43", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 7475 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78055b5a", "parentcaller": "0x7ffc6a125e85", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "47" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7476 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7477 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7478 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78006798", "parentcaller": "0x7ffc7571ced6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 7479 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7571ced6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 1, "id": 7480 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7571ced6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 1, "id": 7481 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7571ced6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7482 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000758" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7483 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000075c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7484 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000760" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7485 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7486 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 7487 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7488 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xa5\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00H\\x00N\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 7489 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000760" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 7490 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 7491 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 7492 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1f" } ], "repeated": 0, "id": 7493 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1f" } ], "repeated": 0, "id": 7494 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000760" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7495 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 7496 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink" } ], "repeated": 0, "id": 7497 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 7498 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 7499 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7500 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7501 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7502 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc6a12f3d5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000758" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7503 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000075c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7504 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6a14726d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000760" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7505 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc6a1472d1", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7506 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6a147302", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 7507 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6a146f0d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000760" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7508 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc6a15d91c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "1032" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags" } ], "repeated": 0, "id": 7509 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 7510 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6a146913", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000760" } ], "repeated": 0, "id": 7511 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc6a12f481", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000075c" } ], "repeated": 0, "id": 7512 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc6a12f481", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7513 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7514 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7515 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe6\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`Rru\\xfc\\x7f\\x00\\x00 \\x93\\x1fj\\xfc\\x7f\\x00\\x00\\xd0\\xd3 j\\xfc\\x7f\\x00\\x00\\xdc\\x04\\xfew\\xfc\\x7f\\x00\\x00\\x80#^u\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 7516 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7517 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc755e2450", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 7518 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc755e2486", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7519 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6a126110", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000758" } ], "repeated": 0, "id": 7520 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a1261a3", "parentcaller": "0x7ffc6a126123", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7521 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a1261ff", "parentcaller": "0x7ffc6a126123", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90\\xe4\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\xe4\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xe4\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7522 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a126131", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7523 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7524 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7525 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7526 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7527 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.UI.Core.CoreWindow" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow" } ], "repeated": 0, "id": 7528 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000758" }, { "name": "KeyInformation", "value": "N\\xffc1\\xffec\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x004\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00U\\x00I\\x00.\\x00C\\x00o\\x00r\\x00e\\x00.\\x00C\\x00o\\x00r\\x00e\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00\\x02\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00)\\x00-\\x00\\x00\\x00\\x00\\x00k\\xffb8\\xffffw\\xfffc\\x7f\\x00\\x00(\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffa8\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x009\\xffdf\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\x08\\xfff9!T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffe0\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xffb0\\x18\\x1dT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xfff8!T\\xff92\\x02\\x00\\x00\\xffb0\\x18\\x1dT\\xff92\\x02\\x00\\x00\\xff90\\xffac\"T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff90*\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xff90\\xffac\"T\\xff92\\x02\\x00\\x00\\x00\\xffef\"T\\xff92\\x02\\x00\\x00\\x00\\xffef\"T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\x18\\x1dT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00\\xffc0T#T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe1\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe1\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7529 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivationType" } ], "repeated": 0, "id": 7530 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Server" } ], "repeated": 0, "id": 7531 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\Windows.UI.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\DllPath" } ], "repeated": 0, "id": 7532 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Threading" } ], "repeated": 0, "id": 7533 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\TrustLevel" } ], "repeated": 0, "id": 7534 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000758" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\CustomAttributes" } ], "repeated": 0, "id": 7535 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\RemoteServer" } ], "repeated": 0, "id": 7536 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateAsUser" } ], "repeated": 0, "id": 7537 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInSharedBroker" } ], "repeated": 0, "id": 7538 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 7539 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Permissions" } ], "repeated": 0, "id": 7540 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000758" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7541 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000758" } ], "repeated": 0, "id": 7542 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\WindowManagementAPI" }, { "name": "DllBase", "value": "0x7ffc70130000" } ], "repeated": 0, "id": 7543 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\InputHost" }, { "name": "DllBase", "value": "0x7ffc69e70000" } ], "repeated": 0, "id": 7544 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.UI" }, { "name": "DllBase", "value": "0x7ffc69fd0000" } ], "repeated": 0, "id": 7545 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.UI.dll" }, { "name": "BaseAddress", "value": "0x7ffc69fd0000" } ], "repeated": 0, "id": 7546 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc69fd0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Windows.UI.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 7547 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.UI.dll" }, { "name": "ModuleHandle", "value": "0x7ffc69fd0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc69ff4510" } ], "repeated": 0, "id": 7548 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.UI.dll" }, { "name": "ModuleHandle", "value": "0x7ffc69fd0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc69ff2840" } ], "repeated": 0, "id": 7549 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.UI.dll" }, { "name": "ModuleHandle", "value": "0x7ffc69fd0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc69ff52f0" } ], "repeated": 0, "id": 7550 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a103000" }, { "name": "ModuleName", "value": "Windows.UI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7551 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a103000" }, { "name": "ModuleName", "value": "Windows.UI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7552 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a103000" }, { "name": "ModuleName", "value": "Windows.UI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7553 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a103000" }, { "name": "ModuleName", "value": "Windows.UI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7554 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 7555 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7556 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7557 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 7558 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a132bda", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 7559 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7560 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000764" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7561 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000764" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 7562 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000768" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "SectionOffset", "value": "0xf09e1fe490" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7563 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 7564 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7565 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7566 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7567 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 7568 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc6a14535d", "parentcaller": "0x7ffc6a1416a5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7569 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756dfacc", "parentcaller": "0x7ffc6a1459f0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x292541d23f0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources*.pri" }, { "name": "FirstCreateTimeLow", "value": "0xab7e9afa" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5ace3" } ], "repeated": 0, "id": 7570 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc756dbe1d", "parentcaller": "0x7ffc6a145add", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7571 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 7572 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "languageoverlayutil.dll" } ], "repeated": 0, "id": 7573 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\languageoverlayutil.dll" } ], "repeated": 0, "id": 7574 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802fa80", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\languageoverlayutil.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7575 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802fa80", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000764" }, { "name": "FileName", "value": "C:\\Windows\\System32\\LanguageOverlayUtil.dll" } ], "repeated": 0, "id": 7576 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000768" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d20000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00041000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7577 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d5e000" }, { "name": "ModuleName", "value": "languageoverlayutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7578 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d4d000" }, { "name": "ModuleName", "value": "languageoverlayutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7579 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d4d000" }, { "name": "ModuleName", "value": "languageoverlayutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7580 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d4d000" }, { "name": "ModuleName", "value": "languageoverlayutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7581 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d4d000" }, { "name": "ModuleName", "value": "languageoverlayutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7582 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d4d000" }, { "name": "ModuleName", "value": "languageoverlayutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7583 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 7584 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7585 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc69d4d000" }, { "name": "ModuleName", "value": "languageoverlayutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7586 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\languageoverlayutil" }, { "name": "DllBase", "value": "0x7ffc69d20000" } ], "repeated": 0, "id": 7587 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\LanguageOverlayUtil" }, { "name": "BaseAddress", "value": "0x7ffc69d20000" }, { "name": "InitRoutine", "value": "0x7ffc69d46bf0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 7588 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7589 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7590 }, { "timestamp": "2026-05-28 22:01:58,021", "thread_id": "3700", "caller": "0x7ffc69d43c8c", "parentcaller": "0x7ffc69d2b448", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\LanguageOverlay\\OverlayPackages" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages" } ], "repeated": 0, "id": 7591 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756dfacc", "parentcaller": "0x7ffc6a145869", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x292541d2150", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "FirstCreateTimeLow", "value": "0xea4e2414" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 7592 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756dbe1d", "parentcaller": "0x7ffc6a1458f3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 7593 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7594 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7595 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 7596 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a144f67", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" } ], "repeated": 1, "id": 7597 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7598 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000764" }, { "name": "HandleName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00h\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7599 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000764" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" } ], "repeated": 0, "id": 7600 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "SectionOffset", "value": "0xf09e1fe350" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7601 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7602 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7603 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756dfacc", "parentcaller": "0x7ffc6a144eb0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x292541d26f0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FirstCreateTimeLow", "value": "0xab7e9afa" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5ace3" } ], "repeated": 0, "id": 7604 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756dbe1d", "parentcaller": "0x7ffc6a144ec9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7605 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a132bda", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 7606 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 7607 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcp47mrm.dll" } ], "repeated": 0, "id": 7608 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\BCP47mrm.dll" } ], "repeated": 0, "id": 7609 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802f7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\BCP47mrm.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7610 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802f7b0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000076c" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000768" }, { "name": "FileName", "value": "C:\\Windows\\System32\\BCP47mrm.dll" } ], "repeated": 0, "id": 7611 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000076c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0002d000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7612 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6ea000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7613 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6d9000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7614 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6d9000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7615 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6d9000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7616 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6d9000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7617 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6d9000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7618 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000076c" } ], "repeated": 0, "id": 7619 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 7620 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6d9000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7621 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcp47mrm" }, { "name": "DllBase", "value": "0x7ffc6a6c0000" } ], "repeated": 0, "id": 7622 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\BCP47mrm" }, { "name": "BaseAddress", "value": "0x7ffc6a6c0000" }, { "name": "InitRoutine", "value": "0x7ffc6a6c7cd0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 7623 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7624 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7625 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7626 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7627 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 7628 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "iertutil.dll" } ], "repeated": 0, "id": 7629 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" } ], "repeated": 0, "id": 7630 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802f7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000768" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7631 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802f7b0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000768" }, { "name": "FileName", "value": "C:\\Windows\\System32\\iertutil.dll" } ], "repeated": 0, "id": 7632 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b370000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x002bc000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7633 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b610000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7634 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b4c7000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7635 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b4c7000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7636 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b4c7000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7637 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b4c7000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7638 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b4c6000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7639 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7640 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000768" } ], "repeated": 0, "id": 7641 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b4c6000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7642 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017fe1", "parentcaller": "0x7ffc78017bdd", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x02\\x00\\x00\\x00U\\x00s\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00d\\x00m\\x00i\\x00\\x02\\x00\\x00\\x00A\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00\\\\x00R\\x00o\\x00\\x02\\x00\\x00\\x00i\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00m\\x00o\\x00n\\x00\\x02\\x00\\x00\\x00o\\x00g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00l\\x00e\\x00s\\x00\\x02\\x00\\x00\\x00:\\x00\\\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00r\\x00a\\x00m\\x00 \\x00\\x02\\x00\\x00\\x00l\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00m\\x00o\\x00n\\x00\\x02\\x00\\x00\\x00i\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x00m\\x00m\\x00o\\x00\\x02\\x00\\x00\\x00r\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x00i\\x00l\\x00e\\x00\\x02\\x00\\x00\\x00x\\x008\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\\x00\\\\x00P\\x00r\\x00\\x02\\x00\\x00\\x00r\\x00a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00l\\x00e\\x00s\\x00 \\x00" } ], "repeated": 0, "id": 7643 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017fe1", "parentcaller": "0x7ffc78017bdd", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\iertutil" }, { "name": "DllBase", "value": "0x7ffc6b370000" } ], "repeated": 0, "id": 7644 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc6b39364c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 7645 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b393673", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlIsMultiSessionSku" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78010210" } ], "repeated": 0, "id": 7646 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b393673", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\iertutil" }, { "name": "BaseAddress", "value": "0x7ffc6b370000" }, { "name": "InitRoutine", "value": "0x7ffc6b3a7ca0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 7647 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7648 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7649 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc6b3937a2", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 7650 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b3937c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlGetDeviceFamilyInfoEnum" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7800f850" } ], "repeated": 0, "id": 7651 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc6b3938af", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000770" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 7652 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6b3938ce", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000770" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000774" } ], "repeated": 0, "id": 7653 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b3938e5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000770" } ], "repeated": 0, "id": 7654 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3940b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7655 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b39387f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000774" } ], "repeated": 0, "id": 7656 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b610000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7657 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b610000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7658 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6b39355b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000774" } ], "repeated": 0, "id": 7659 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3a4004", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7660 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3a4065", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\xad T\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00" } ], "repeated": 0, "id": 7661 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b39358c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000774" } ], "repeated": 0, "id": 7662 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc6b3938af", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000774" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 7663 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6b3938ce", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000774" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000770" } ], "repeated": 0, "id": 7664 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b3938e5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000774" } ], "repeated": 0, "id": 7665 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3920a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 7666 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3920f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 7667 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b392a3e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000770" } ], "repeated": 0, "id": 7668 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6b392160", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000770" } ], "repeated": 0, "id": 7669 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b39218d", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xe2\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00p\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00p\\x07\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7670 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b3921d2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000770" } ], "repeated": 0, "id": 7671 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6b394006", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32.dll" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 7672 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6b394006", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc762a0000", "arguments": [ { "name": "lpLibFileName", "value": "user32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 7673 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6b394028", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "IsImmersiveProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762c95d0" } ], "repeated": 0, "id": 7674 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b393276", "parentcaller": "0x7ffc6b392a62", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 7675 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b393339", "parentcaller": "0x7ffc6b393299", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows\\system32" } ], "repeated": 0, "id": 7676 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3931b2", "parentcaller": "0x7ffc6b39315b", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Windows" } ], "repeated": 0, "id": 7677 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b376e6f", "parentcaller": "0x7ffc6b39b024", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "35" } ], "repeated": 0, "id": 7678 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000770" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 7679 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000770" }, { "name": "ValueName", "value": "FrameTabWindow" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow" } ], "repeated": 0, "id": 7680 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000774" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 7681 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000774" }, { "name": "ValueName", "value": "FrameTabWindow" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow" } ], "repeated": 0, "id": 7682 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000770" }, { "name": "ValueName", "value": "FrameMerging" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging" } ], "repeated": 0, "id": 7683 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000774" }, { "name": "ValueName", "value": "FrameMerging" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging" } ], "repeated": 0, "id": 7684 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000770" }, { "name": "ValueName", "value": "SessionMerging" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging" } ], "repeated": 0, "id": 7685 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000774" }, { "name": "ValueName", "value": "SessionMerging" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging" } ], "repeated": 0, "id": 7686 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000770" }, { "name": "ValueName", "value": "AdminTabProcs" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs" } ], "repeated": 0, "id": 7687 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000774" }, { "name": "ValueName", "value": "AdminTabProcs" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs" } ], "repeated": 0, "id": 7688 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6b39355b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000778" } ], "repeated": 0, "id": 7689 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3a4004", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7690 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3a4065", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P\\xa7 T\\x92\\x02\\x00\\x00`\\x00\\x00\\x00P\\x00E\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00" } ], "repeated": 0, "id": 7691 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b39358c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 7692 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6b392d85", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000778" } ], "repeated": 0, "id": 7693 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3920a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 7694 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6b3920f4", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 7695 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6b392dc9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000778" } ], "repeated": 0, "id": 7696 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "Handle", "value": "0x00000778" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 7697 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000778" }, { "name": "ValueName", "value": "RunBinaryControlHostProcessInSeparateAppContainer" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer" } ], "repeated": 0, "id": 7698 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Internet Explorer\\Security" }, { "name": "Handle", "value": "0x0000077c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security" } ], "repeated": 0, "id": 7699 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b394652", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000077c" }, { "name": "ValueName", "value": "RunBinaryControlHostProcessInSeparateAppContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer" } ], "repeated": 0, "id": 7700 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 7701 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Internet Explorer\\Main" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main" } ], "repeated": 0, "id": 7702 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000770" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 7703 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000774" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 7704 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000770" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 7705 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000774" }, { "name": "ValueName", "value": "TabProcGrowth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth" } ], "repeated": 0, "id": 7706 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x00000780" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 7707 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000780" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 7708 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x00000784" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 7709 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000784" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 7710 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x00000788" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 7711 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000788" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 7712 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b378516", "parentcaller": "0x7ffc6b399bbf", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" }, { "name": "Handle", "value": "0x0000078c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" } ], "repeated": 0, "id": 7713 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000078c" }, { "name": "ValueName", "value": "CreateUriCacheSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize" } ], "repeated": 0, "id": 7714 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000780" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 7715 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000784" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 7716 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000788" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 7717 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc6b3946aa", "parentcaller": "0x7ffc6b39af21", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000078c" }, { "name": "ValueName", "value": "EnablePunycode" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode" } ], "repeated": 0, "id": 7718 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b610000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7719 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6b610000" }, { "name": "ModuleName", "value": "iertutil.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7720 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe0\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\x80y\\x19T\\x92\\x02\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00`\\xe0\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7721 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000790" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7722 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc755e2450", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000790" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 7723 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc755e2486", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000790" } ], "repeated": 0, "id": 7724 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000790" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7725 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000790" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7726 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000794" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000790" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 7727 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000794" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "SectionOffset", "value": "0xf09e1fe180" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7728 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000794" } ], "repeated": 0, "id": 7729 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000790" } ], "repeated": 0, "id": 7730 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7731 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a20d000" }, { "name": "ModuleName", "value": "MrmCoreR.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7732 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 7733 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 7734 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 7735 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 7736 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 7737 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 7738 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\t\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7739 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7740 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000764" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000754" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" } ], "repeated": 0, "id": 7741 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Control Panel\\International\\User Profile" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile" } ], "repeated": 0, "id": 7742 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7743 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "Languages" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 7744 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "Languages" }, { "name": "Data", "value": "\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 7745 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7746 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7747 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "76765B11-3F95-4AF2-AC9D-EA55D8994F1A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7748 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5152" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe" } ], "repeated": 0, "id": 7749 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7750 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2752", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7751 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2752", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7752 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28b479a", "parentcaller": "0x7ff6c28c999c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcrypt.dll" }, { "name": "BaseAddress", "value": "0x7ffc75e00000" } ], "repeated": 0, "id": 7753 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28b479a", "parentcaller": "0x7ff6c28c999c", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc75e00000", "arguments": [ { "name": "lpLibFileName", "value": "bcrypt.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 7754 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7755 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000754" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7756 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7757 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000764" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7758 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7759 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7760 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000754" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000764" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7761 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin" } ], "repeated": 0, "id": 7762 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7763 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7764 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 1, "id": 7765 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7766 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7767 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000754" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7768 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000764" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7769 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7770 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7771 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7772 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xa6\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 7773 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000764" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 7774 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 7775 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7776 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1f" } ], "repeated": 0, "id": 7777 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1f" } ], "repeated": 0, "id": 7778 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000764" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7779 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 7780 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink" } ], "repeated": 0, "id": 7781 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7782 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7783 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7784 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000740" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7785 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000754" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7786 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x00000764" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7787 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 7788 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7789 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x00000764" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 7790 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "1032" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags" } ], "repeated": 0, "id": 7791 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 7792 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7793 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7794 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7795 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 7796 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 7797 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 7798 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7799 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000740" } ], "repeated": 0, "id": 7800 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7801 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xe2\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88\\xe2\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe2\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7802 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7803 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 7804 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7805 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7806 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 7807 }, { "timestamp": "2026-05-28 22:01:58,037", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 7808 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7809 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000740" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7810 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000740" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 7811 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "SectionOffset", "value": "0xf09ddfd6c0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7812 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7813 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7814 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254240000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7815 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7816 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7817 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 7818 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7819 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423bb90", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources*.pri" }, { "name": "FirstCreateTimeLow", "value": "0xab7e9afa" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5ace3" } ], "repeated": 0, "id": 7820 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7821 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\LanguageOverlay\\OverlayPackages" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages" } ], "repeated": 0, "id": 7822 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c130", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "FirstCreateTimeLow", "value": "0xea4e2414" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 7823 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7824 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 7825 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 7826 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 7827 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" } ], "repeated": 1, "id": 7828 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7829 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000740" }, { "name": "HandleName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00h\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7830 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000740" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" } ], "repeated": 0, "id": 7831 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000754" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "SectionOffset", "value": "0xf09ddfd580" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7832 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7833 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7834 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c7f0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FirstCreateTimeLow", "value": "0xab7e9afa" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5ace3" } ], "repeated": 0, "id": 7835 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7836 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 7837 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c95ba", "parentcaller": "0x7ff6c28c9060", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7838 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 7839 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 7840 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28d83ed", "parentcaller": "0x7ff6c28d8345", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "MutexName", "value": "Local\\SM0:7912:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 7841 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28df03f", "parentcaller": "0x7ff6c28d8bcc", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7842 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28df03f", "parentcaller": "0x7ff6c28d8c07", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7843 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28df03f", "parentcaller": "0x7ff6c28d848a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7844 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28bd650", "parentcaller": "0x7ff6c28bd486", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7845 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5152" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe" } ], "repeated": 0, "id": 7846 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000740" }, { "name": "BaseAddress", "value": "0x7a7e5c9000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00h\\x0f\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p4 +\\xbb\\x01\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00\\x08+\\xbb\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03+\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x0f\\x00\\x00\\x00\\x00ks\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07ks\\xf4}\\x00\\x00\\x00\\x00\\x7fu\\xf5}\\x00\\x00(\\x02\\x80u\\xf5}\\x00\\x00P\\x06\\x81u\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00`+\\xbb\\x01\\x00\\x00" } ], "repeated": 0, "id": 7847 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000740" }, { "name": "BaseAddress", "value": "0x1bb2b203470" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xe0\t\\x00\\x00\\xe0\t\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9c\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x80B +\\xbb\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9c\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\xb8: +\\xbb\\x01\\x00\\x00\\xd2\\x00\\xd4\\x00\\x00\\x00\\x00\\x00V; +\\xbb\\x01\\x00\\x00H\\x01J\\x01\\x00\\x00\\x00\\x00*< +\\xbb\\x01\\x00\\x00\\xf0' +\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd6\\x00\\xd8\\x00\\x00\\x00\\x00\\x00t= +\\xbb\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00L> +\\xbb\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00N> +\\xbb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7848 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000740" }, { "name": "BaseAddress", "value": "0x1bb2b203c2a" }, { "name": "Size", "value": "0x00000148" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00A\\x00p\\x00p\\x00s\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00a\\x00r\\x00t\\x00M\\x00e\\x00n\\x00u\\x00E\\x00x\\x00p\\x00e\\x00r\\x00i\\x00e\\x00n\\x00c\\x00e\\x00H\\x00o\\x00s\\x00t\\x00_\\x00c\\x00w\\x005\\x00n\\x001\\x00h\\x002\\x00t\\x00x\\x00y\\x00e\\x00w\\x00y\\x00\\\\x00S\\x00t\\x00a\\x00r\\x00t\\x00M\\x00e\\x00n\\x00u\\x00E\\x00x\\x00p\\x00e\\x00r\\x00i\\x00e\\x00n\\x00c\\x00e\\x00H\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00S\\x00e\\x00r\\x00v\\x00e\\x00r\\x00N\\x00a\\x00m\\x00e\\x00:\\x00A\\x00p\\x00p\\x00.\\x00A\\x00p\\x00p\\x00X\\x00" } ], "repeated": 0, "id": 7849 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7850 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5152" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe" } ], "repeated": 0, "id": 7851 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000754" } ], "repeated": 0, "id": 7852 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7853 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c47a3", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254245000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7854 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x80<$T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00 =$T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00@=$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x92>$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8>$T\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xb0>$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0>$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd8>$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8>$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\xae\\x00\\xae\\x00\\x00\\x00\\x00\\x00p=$T\\x92\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x1e>$T\\x92\\x02\\x00\\x00n\\x00n\\x00\\x00\\x00\\x00\\x00$>$T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 7855 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000754" } ], "repeated": 0, "id": 7856 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7857 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000740" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.Application" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application" } ], "repeated": 0, "id": 7858 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000740" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00X\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffa8\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\xffd9\\xffd5\\xffdf\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xff98\\x0b\"T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\xffd6\\xffdf\\xff9d\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\x10'\\x1fT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x0b\"T\\xff92\\x02\\x00\\x00\\x10'\\x1fT\\xff92\\x02\\x00\\x00\\x10\\xffb2\"T\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10*\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x10\\xffb2\"T\\xff92\\x02\\x00\\x00\\xff80\\xffeb\"T\\xff92\\x02\\x00\\x00\\xff80\\xffeb\"T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10'\\x1fT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00`_#T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\xffd7\\xffdf\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\xffd7\\xffdf\\xff9d\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 7859 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivationType" } ], "repeated": 0, "id": 7860 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Server" } ], "repeated": 0, "id": 7861 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\DllPath" } ], "repeated": 0, "id": 7862 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Threading" } ], "repeated": 0, "id": 7863 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\TrustLevel" } ], "repeated": 0, "id": 7864 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000740" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\CustomAttributes" } ], "repeated": 0, "id": 7865 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\RemoteServer" } ], "repeated": 0, "id": 7866 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateAsUser" } ], "repeated": 0, "id": 7867 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInSharedBroker" } ], "repeated": 0, "id": 7868 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 7869 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Permissions" } ], "repeated": 0, "id": 7870 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000740" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateOnHostFlags" } ], "repeated": 0, "id": 7871 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000740" } ], "repeated": 0, "id": 7872 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7873 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{D81E96F1-A89C-417E-9335-59531026309D}" }, { "name": "Handle", "value": "0x00000766" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D81E96F1-A89C-417E-9335-59531026309D}" } ], "repeated": 0, "id": 7874 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000766" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000073e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7875 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7876 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073e" } ], "repeated": 0, "id": 7877 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000766" } ], "repeated": 0, "id": 7878 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28dabab", "parentcaller": "0x7ff6c28c3815", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7879 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "1276", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000794" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 7880 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002e6" }, { "name": "SubKey", "value": "Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}" }, { "name": "Handle", "value": "0x0000079a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}" } ], "repeated": 0, "id": 7881 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000079e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32" } ], "repeated": 0, "id": 7882 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 7883 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079e" } ], "repeated": 0, "id": 7884 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079a" } ], "repeated": 0, "id": 7885 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5216" }, { "name": "ProcessName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7886 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7887 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5216" }, { "name": "ProcessName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7888 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7889 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5216" }, { "name": "ProcessName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7890 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7891 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 7892 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 7893 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\en-US\\TiWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7894 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 7895 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\en\\TiWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7896 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7897 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "RegionSize", "value": "0x00044000" } ], "repeated": 0, "id": 7898 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 7899 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 7900 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\en-US\\TiWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7901 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 7902 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\en\\TiWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7903 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7904 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "RegionSize", "value": "0x00044000" } ], "repeated": 0, "id": 7905 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5216" }, { "name": "ProcessName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7906 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7907 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5216" }, { "name": "ProcessName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7908 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "BaseAddress", "value": "0xb24cb38000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xcb\\xb6\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00P\\x1a\\xfd\\x94\\xee\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfd\\x94\\xee\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\x94\\xee\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x1f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9\\xb2\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xa9\\xb2\\xf4}\\x00\\x00\\x00\\x00\\xbd\\xb4\\xf5}\\x00\\x00(\\x02\\xbe\\xb4\\xf5}\\x00\\x00P\\x06\\xbf\\xb4\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00v\\x95\\xee\\x01\\x00\\x00" } ], "repeated": 0, "id": 7909 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "BaseAddress", "value": "0x1ee94fd1a50" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x80\t\\x00\\x00\\x80\t\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000(\\xfd\\x94\\xee\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\x98 \\xfd\\x94\\xee\\x01\\x00\\x00\\x0e\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x92!\\xfd\\x94\\xee\\x01\\x00\\x00\\xe0\\x0f\\xfd\\x94\\xee\\x01\\x00\\x00(\\x00\\x00\\x00(\\x00\\x00\\x00P\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\xa2\"\\xfd\\x94\\xee\\x01\\x00\\x000\\x002\\x00\\x00\\x00\\x00\\x00\\x9c#\\xfd\\x94\\xee\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xce#\\xfd\\x94\\xee\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7910 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "BaseAddress", "value": "0x1ee94fd2192" }, { "name": "Size", "value": "0x0000010e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00w\\x00i\\x00n\\x00s\\x00x\\x00s\\x00\\\\x00a\\x00m\\x00d\\x006\\x004\\x00_\\x00m\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00-\\x00w\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00-\\x00s\\x00e\\x00r\\x00v\\x00i\\x00c\\x00i\\x00n\\x00g\\x00s\\x00t\\x00a\\x00c\\x00k\\x00_\\x003\\x001\\x00b\\x00f\\x003\\x008\\x005\\x006\\x00a\\x00d\\x003\\x006\\x004\\x00e\\x003\\x005\\x00_\\x001\\x000\\x00.\\x000\\x00.\\x001\\x009\\x000\\x004\\x001\\x00.\\x003\\x007\\x004\\x005\\x00_\\x00n\\x00o\\x00n\\x00e\\x00_\\x007\\x00d\\x00e\\x00d\\x003\\x00f\\x003\\x002\\x007\\x00c\\x00a\\x006\\x000\\x00a\\x004\\x001\\x00\\\\x00T\\x00i\\x00W\\x00o\\x00r\\x00k\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00" } ], "repeated": 0, "id": 7911 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7912 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5216" }, { "name": "ProcessName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 0, "id": 7913 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000079c" } ], "repeated": 0, "id": 7914 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7915 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x10$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00(\\x10$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x10$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00m\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x126\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7916 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 7917 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7918 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5328" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 7919 }, { "timestamp": "2026-05-28 22:01:58,053", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7920 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5328" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 7921 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7922 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5328" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 7923 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7924 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 7925 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 7926 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7927 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000798" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 7928 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7929 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7930 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 7931 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7932 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 7933 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 7934 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 7935 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7936 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000798" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 7937 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7938 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7939 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 7940 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7941 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 7942 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5328" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 7943 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "BaseAddress", "value": "0x8a2e23c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xa0\\x1a\\xea\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83\\x1a\\xea\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\x1a\\xea\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x07\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00c8\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07c8\\xf4}\\x00\\x00\\x00\\x00w:\\xf5}\\x00\\x00(\\x02x:\\xf5}\\x00\\x00P\\x06y:\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xe0\\x1a\\xea\\x01\\x00\\x00" } ], "repeated": 0, "id": 7944 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "BaseAddress", "value": "0x1ea1aa03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "<\\x07\\x00\\x00<\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\xa0\\x1a\\xea\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xa0\\x1a\\xea\\x01\\x00\\x00n\\x00p\\x00\\x00\\x00\\x00\\x00\\xf88\\xa0\\x1a\\xea\\x01\\x00\\x00\\xf0'\\xa0\\x1a\\xea\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00h9\\xa0\\x1a\\xea\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa89\\xa0\\x1a\\xea\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9\\xa0\\x1a\\xea\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7945 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "BaseAddress", "value": "0x1ea1aa038f8" }, { "name": "Size", "value": "0x0000006e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00U\\x00s\\x00o\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 7946 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7947 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5328" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 7948 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000764" } ], "repeated": 0, "id": 7949 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7950 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x10$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00(\\x10$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x10$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb2f\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 7951 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7952 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7953 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5536" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe" } ], "repeated": 0, "id": 7954 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7955 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5536" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe" } ], "repeated": 0, "id": 7956 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000764" } ], "repeated": 0, "id": 7957 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7958 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xe0L$T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x80M$T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0M$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xb6N$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8N$T\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd0N$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0N$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8N$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18O$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x88\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\xd0M$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00XN$T\\x92\\x02\\x00\\x00L\\x00L\\x00\\x00\\x00\\x00\\x00jN$T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 7959 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000764" } ], "repeated": 0, "id": 7960 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000798" } ], "repeated": 0, "id": 7961 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 7962 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3" } ], "repeated": 0, "id": 7963 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000798" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro" } ], "repeated": 0, "id": 7964 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000798" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546a0000" }, { "name": "SectionOffset", "value": "0xf09ddfd350" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7965 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7966 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 7967 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3" } ], "repeated": 0, "id": 7968 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*Users*admin*AppData*Local*Microsoft*Windows*Caches*cversions.3.ro" } ], "repeated": 0, "id": 7969 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000764" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546b0000" }, { "name": "SectionOffset", "value": "0xf09ddfce40" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 7970 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 7971 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 7972 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7973 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7974 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xa4\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 7975 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7976 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77b9c76f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [ { "name": "Status", "value": "Log limit reached" } ], "repeated": 0, "id": 7977 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 7978 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7979 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7980 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7981 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 7982 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 7983 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 7984 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xa5\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 7985 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 7986 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 7987 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 7988 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1a" } ], "repeated": 0, "id": 7989 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1a" } ], "repeated": 0, "id": 7990 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 7991 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 7992 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink" } ], "repeated": 0, "id": 7993 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 7994 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 7995 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 7996 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 7997 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 7998 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 7999 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8000 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8001 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8002 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xa5\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8003 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8004 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8005 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8006 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1a" } ], "repeated": 0, "id": 8007 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1a" } ], "repeated": 0, "id": 8008 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8009 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 8010 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink" } ], "repeated": 0, "id": 8011 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8012 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8013 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8014 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 8015 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8016 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8017 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8018 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756c26e8", "parentcaller": "0x7ffc756c279b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xef\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00r\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00S\\x00e\\x00a\\x00r\\x00c\\x00h\\x00_\\x001\\x00.\\x001\\x004\\x00.\\x001\\x000\\x00.\\x001\\x009\\x000\\x004\\x001\\x00" } ], "repeated": 0, "id": 8019 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8020 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8021 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8022 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8023 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x0000073c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8024 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756c4086", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8025 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756c40c3", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000079c" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\PackageStatus" } ], "repeated": 0, "id": 8026 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756c40d4", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8027 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8028 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc61105d4a", "parentcaller": "0x7ffc6110618f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8029 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdc16", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8030 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8031 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8032 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8033 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8034 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8035 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin" } ], "repeated": 0, "id": 8036 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8037 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756bdcce", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8038 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756bdcce", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 1, "id": 8039 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7572ad43", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8040 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8041 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8042 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8043 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8044 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8045 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8046 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xac\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00o\\x00u\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8047 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8048 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8049 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8050 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1a" } ], "repeated": 0, "id": 8051 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1a" } ], "repeated": 0, "id": 8052 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8053 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 8054 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink" } ], "repeated": 0, "id": 8055 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8056 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8057 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8058 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc6a12f3d5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8059 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8060 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6a14726d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8061 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc6a1472d1", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8062 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6a147302", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8063 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6a146f0d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8064 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc6a15d91c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "1032" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags" } ], "repeated": 0, "id": 8065 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 8066 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6a146913", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8067 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc6a12f481", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8068 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc6a12f481", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8069 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe6\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00@\\xe7\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 8070 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8071 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc755e2450", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 8072 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc755e2486", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8073 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6a126110", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8074 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a1261a3", "parentcaller": "0x7ffc6a126123", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8075 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a1261ff", "parentcaller": "0x7ffc6a126123", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00P\\xe6\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00x\\xe6\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xe6\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8076 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a126131", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8077 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8078 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8079 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8080 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a132bda", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8081 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8082 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x000\\x02\\x00\\x00\\x00\\x00\\x000+\\x02\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8083 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000073c" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8084 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "SectionOffset", "value": "0xf09e1fe490" }, { "name": "ViewSize", "value": "0x00023000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8085 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8086 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8087 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8088 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8089 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8090 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc6a14535d", "parentcaller": "0x7ffc6a1416a5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8091 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756dfacc", "parentcaller": "0x7ffc6a1459f0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c250", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources*.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb6359d06" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 8092 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756dbe1d", "parentcaller": "0x7ffc6a145add", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8093 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc69d43c8c", "parentcaller": "0x7ffc69d2b448", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\LanguageOverlay\\OverlayPackages" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages" } ], "repeated": 0, "id": 8094 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756dfacc", "parentcaller": "0x7ffc6a145869", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c670", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb7e9eb50" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 8095 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756dbe1d", "parentcaller": "0x7ffc6a1458f3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8096 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8097 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8098 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8099 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a144f67", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" } ], "repeated": 1, "id": 8100 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8101 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "HandleName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\xd0:\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8102 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000073c" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" } ], "repeated": 0, "id": 8103 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "SectionOffset", "value": "0xf09e1fe350" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8104 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8105 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8106 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756dfacc", "parentcaller": "0x7ffc6a144eb0", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c490", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb6359d06" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 8107 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756dbe1d", "parentcaller": "0x7ffc6a144ec9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8108 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a132bda", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 8109 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xe0\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xe0w\\x19T\\x92\\x02\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\x00\\x00`\\xe0\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 8110 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8111 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc755e2450", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 8112 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc755e2486", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8113 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8114 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x08/\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8115 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000073c" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 8116 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254700000" }, { "name": "SectionOffset", "value": "0xf09e1fe180" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8117 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8118 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8119 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8120 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8121 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc61179000" }, { "name": "ModuleName", "value": "appresolver.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8122 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc730ad469", "parentcaller": "0x7ffc730ad2ee", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 8123 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8124 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000278" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8125 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000278" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent" } ], "repeated": 0, "id": 8126 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e2fe4", "parentcaller": "0x7ffc730ad551", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" }, { "name": "ValueName", "value": "AccentPalette" }, { "name": "Data", "value": "\\xa6\\xd8\\xff\\x00v\\xb9\\xed\\x00B\\x9c\\xe3\\x00\\x00x\\xd7\\x00\\x00Z\\x9e\\x00\\x00Bu\\x00\\x00&B\\x00\\xf7c\\x0c\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent\\AccentPalette" } ], "repeated": 0, "id": 8127 }, { "timestamp": "2026-05-28 22:01:58,068", "thread_id": "3700", "caller": "0x7ffc756e3018", "parentcaller": "0x7ffc730ad551", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8128 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 4, "id": 8129 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00023000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8130 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8131 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254700000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8132 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 8133 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5536" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe" } ], "repeated": 0, "id": 8134 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8135 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8136 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x000007a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8137 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8138 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8139 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8140 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8141 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8142 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin" } ], "repeated": 0, "id": 8143 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8144 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8145 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 1, "id": 8146 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8147 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x000007a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8148 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8149 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8150 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8151 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8152 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8153 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xbf\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8154 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8155 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8156 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8157 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1a" } ], "repeated": 0, "id": 8158 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1a" } ], "repeated": 0, "id": 8159 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8160 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 8161 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink" } ], "repeated": 0, "id": 8162 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8163 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8164 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8165 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x000007a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8166 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8167 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8168 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8169 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8170 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8171 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "1032" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags" } ], "repeated": 0, "id": 8172 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 8173 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8174 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8175 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8176 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 8177 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8178 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 8179 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8180 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a8" } ], "repeated": 0, "id": 8181 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8182 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xe9\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xe9\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xea\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8183 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8184 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8185 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 8186 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8187 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8188 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8189 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x000\\x02\\x00\\x00\\x00\\x00\\x000+\\x02\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8190 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8191 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "SectionOffset", "value": "0xf09ddfd6c0" }, { "name": "ViewSize", "value": "0x00023000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8192 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8193 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8194 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8195 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8196 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8197 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8198 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423b770", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources*.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb6359d06" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 8199 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8200 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\LanguageOverlay\\OverlayPackages" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages" } ], "repeated": 0, "id": 8201 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423b770", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb7e9eb50" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 8202 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8203 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8204 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8205 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8206 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" } ], "repeated": 1, "id": 8207 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8208 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "HandleName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\xd0:\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8209 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" } ], "repeated": 0, "id": 8210 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "SectionOffset", "value": "0xf09ddfd580" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8211 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8212 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8213 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c8b0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb6359d06" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 8214 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8215 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 8216 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00023000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8217 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8218 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5536" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe" } ], "repeated": 0, "id": 8219 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x3501027000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x87\\xeb\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x004 g\\xab\\x01\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00\\x0eg\\xab\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\tg\\xab\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xf0\\x9a\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xf0\\x9a\\xf4}\\x00\\x00\\x00\\x00\\x04\\x9d\\xf5}\\x00\\x00(\\x02\\x05\\x9d\\xf5}\\x00\\x00P\\x06\\x06\\x9d\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00`g\\xab\\x01\\x00\\x00" } ], "repeated": 0, "id": 8220 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1ab67203400" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x10\t\\x00\\x00\\x10\t\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00\\x08\\x02\\x00\\x00\\x00\\x00@A g\\xab\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00H: g\\xab\\x01\\x00\\x00\\x94\\x00\\x96\\x00\\x00\\x00\\x00\\x00\\xc4: g\\xab\\x01\\x00\\x00\\x16\\x01\\x18\\x01\\x00\\x00\\x00\\x00Z; g\\xab\\x01\\x00\\x000\\xf6%g\\xab\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x9a\\x00\\x00\\x00\\x00\\x00r< g\\xab\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x0c= g\\xab\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x0e= g\\xab\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8221 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1ab67203b5a" }, { "name": "Size", "value": "0x00000116" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00A\\x00p\\x00p\\x00s\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00a\\x00r\\x00c\\x00h\\x00_\\x00c\\x00w\\x005\\x00n\\x001\\x00h\\x002\\x00t\\x00x\\x00y\\x00e\\x00w\\x00y\\x00\\\\x00S\\x00e\\x00a\\x00r\\x00c\\x00h\\x00A\\x00p\\x00p\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00S\\x00e\\x00r\\x00v\\x00e\\x00r\\x00N\\x00a\\x00m\\x00e\\x00:\\x00C\\x00o\\x00r\\x00t\\x00a\\x00n\\x00a\\x00U\\x00I\\x00.\\x00A\\x00p\\x00p\\x00X\\x008\\x00z\\x009\\x00r\\x006\\x00j\\x00m\\x009\\x006\\x00h\\x00w\\x004\\x00b\\x00s\\x00b\\x00n\\x00e\\x00e\\x00g\\x00w\\x000\\x00k\\x00y\\x00x\\x00x\\x00" } ], "repeated": 0, "id": 8222 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8223 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5536" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe" } ], "repeated": 0, "id": 8224 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a4" } ], "repeated": 0, "id": 8225 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8226 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xe0^$T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x80_$T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0_$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xb6`$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8`$T\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd0`$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0`$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8`$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18a$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x88\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\xd0_$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00X`$T\\x92\\x02\\x00\\x00L\\x00L\\x00\\x00\\x00\\x00\\x00j`$T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 8227 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8228 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8229 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8230 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8231 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8232 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a4" } ], "repeated": 0, "id": 8233 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8234 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xe0^$T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00X_$T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00x_$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xc4`$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8`$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe0`$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00a$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x88\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\xa8_$T\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x000`$T\\x92\\x02\\x00\\x00L\\x00L\\x00\\x00\\x00\\x00\\x00x`$T\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00" } ], "repeated": 0, "id": 8235 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8236 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8237 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 8238 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8239 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 8240 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 8241 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 8242 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8243 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xaf\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8244 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 8245 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc756ded78", "parentcaller": "0x7ffc6110101a", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" }, { "name": "MutexName", "value": "Local\\SM0:7912:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 8246 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc611001ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8247 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc611001ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8248 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc611001ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8249 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 8250 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8251 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8252 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8253 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8254 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8255 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8256 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8257 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8258 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8259 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8260 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8261 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x6a08dbe000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00q{\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xd02 \\x82#\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x82#\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x82#\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\x07\\x00\\x00\\x00\\xa9\\xf0\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xa9\\xf0\\xf4}\\x00\\x00\\x00\\x00\\xbd\\xf2\\xf5}\\x00\\x00(\\x02\\xbe\\xf2\\xf5}\\x00\\x00P\\x06\\xbf\\xf2\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00a\\x82#\\x02\\x00\\x00" } ], "repeated": 0, "id": 8262 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x223822032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\\x07\\x00\\x00F\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90> \\x82#\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\x189 \\x82#\\x02\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00d9 \\x82#\\x02\\x00\\x00\\xf0' \\x82#\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\xc69 \\x82#\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x12: \\x82#\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x14: \\x82#\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8263 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x22382203964" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00R\\x00u\\x00n\\x00t\\x00i\\x00m\\x00e\\x00B\\x00r\\x00o\\x00k\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 8264 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8265 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8266 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a4" } ], "repeated": 0, "id": 8267 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8268 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xe0^$T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00X_$T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00x_$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xc4`$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8`$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe0`$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00a$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x88\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\xa8_$T\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x000`$T\\x92\\x02\\x00\\x00L\\x00L\\x00\\x00\\x00\\x00\\x00x`$T\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00" } ], "repeated": 0, "id": 8269 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8270 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8271 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8272 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8273 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8274 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a4" } ], "repeated": 0, "id": 8275 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8276 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0^$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08_$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(_$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00y\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x15\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8277 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8278 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8279 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8280 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8281 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8282 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8283 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8284 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8285 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8286 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8287 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8288 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8289 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8290 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x99d82b000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00q{\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xd02\\x80\\x92\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x92\\xde\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00^\\x92\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xc1\\x00\\x00\\x00\\x00\\x00\\x12\\xe7\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x12\\xe7\\xf4}\\x00\\x00\\x00\\x00&\\xe9\\xf5}\\x00\\x00(\\x02'\\xe9\\xf5}\\x00\\x00P\\x06(\\xe9\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xc0\\x92\\xde\\x01\\x00\\x00" } ], "repeated": 0, "id": 8291 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1de928032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\\x07\\x00\\x00F\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90>\\x80\\x92\\xde\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\x189\\x80\\x92\\xde\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00d9\\x80\\x92\\xde\\x01\\x00\\x00@ \\x8a\\x92\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\xc69\\x80\\x92\\xde\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x12:\\x80\\x92\\xde\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x14:\\x80\\x92\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8292 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1de92803964" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00R\\x00u\\x00n\\x00t\\x00i\\x00m\\x00e\\x00B\\x00r\\x00o\\x00k\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 8293 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8294 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 8295 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a4" } ], "repeated": 0, "id": 8296 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8297 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0^$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08_$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(_$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00y\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x15\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8298 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8299 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8300 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3680" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8301 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8302 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3680" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8303 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8304 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3680" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8305 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8306 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8307 }, { "timestamp": "2026-05-28 22:01:58,084", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8308 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8309 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 8310 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8311 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8312 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 8313 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8314 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8315 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8316 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 8317 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8318 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8319 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 8320 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3680" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8321 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8322 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3680" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8323 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x2196ff000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xaba\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xb0\\x1bOQ\\xe2\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00OQ\\xe2\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>Q\\xe2\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x1f\\x00\\x00\\x00\\x00\\x00\\x00?\\x92\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07?\\x92\\xf4}\\x00\\x00\\x00\\x00S\\x94\\xf5}\\x00\\x00(\\x02T\\x94\\xf5}\\x00\\x00P\\x06U\\x94\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x8cQ\\xe2\\x01\\x00\\x00" } ], "repeated": 0, "id": 8324 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1e2514f1bb0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x84\\x07\\x00\\x00\\x84\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90'OQ\\xe2\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\x00\\\\x00\\x00\\x00\\x00\\x00\\xf8!OQ\\xe2\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00T\"OQ\\xe2\\x01\\x00\\x00\\xe0\\x0fOQ\\xe2\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\x00\\\\x00\\x00\\x00\\x00\\x00\\xb6\"OQ\\xe2\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\x12#OQ\\xe2\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x002#OQ\\xe2\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8325 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1e2514f2254" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00S\\x00e\\x00c\\x00u\\x00r\\x00i\\x00t\\x00y\\x00H\\x00e\\x00a\\x00l\\x00t\\x00h\\x00S\\x00y\\x00s\\x00t\\x00r\\x00a\\x00y\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00" } ], "repeated": 0, "id": 8326 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8327 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3680" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 8328 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8329 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8330 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00{\\x00\\x00\\x00\\x00\\x00\\x00\\x00HL\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8331 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8332 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8333 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6084" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8334 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8335 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6084" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8336 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8337 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6084" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8338 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8339 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8340 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8341 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8342 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 8343 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8344 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8345 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 8346 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8347 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 8348 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8349 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8350 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8351 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 8352 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8353 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8354 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 8355 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8356 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 8357 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6084" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8358 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x77909e1000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2@\\x82\\x9a\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x82\\x9a\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x82\\x9a\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdb\\xb8\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xdb\\xb8\\xf4}\\x00\\x00\\x00\\x00\\xef\\xba\\xf5}\\x00\\x00(\\x02\\xf0\\xba\\xf5}\\x00\\x00P\\x06\\xf1\\xba\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x80\\x82\\x9a\\x01\\x00\\x00" } ], "repeated": 0, "id": 8359 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x19a82403270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ">\\x07\\x00\\x00>\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >@\\x82\\x9a\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88@\\x82\\x9a\\x01\\x00\\x00p\\x00r\\x00\\x00\\x00\\x00\\x00\\xf88@\\x82\\x9a\\x01\\x00\\x00\\xf0'@\\x82\\x9a\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00j9@\\x82\\x9a\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9@\\x82\\x9a\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xac9@\\x82\\x9a\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8360 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x19a824038f8" }, { "name": "Size", "value": "0x00000070" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00A\\x00p\\x00p\\x00i\\x00n\\x00f\\x00o\\x00" } ], "repeated": 0, "id": 8361 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8362 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6084" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8363 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8364 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8365 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00Kh\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8366 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8367 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8368 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4944" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 8369 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8370 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4944" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 8371 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8372 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4944" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 8373 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8374 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8375 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 8376 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8377 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 8378 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4944" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 8379 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8380 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4944" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 8381 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x0469c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x002\\x00\\x00\\x00\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xb0\\x1b\\xa0\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x04\\x00\\x00\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe1Vw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfd\\xfe\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xfd\\xfe\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\xff\\x00\\x00\\x00\\x00(\\x02\\x16\\xff\\x00\\x00\\x00\\x00P\\x06\\x17\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8382 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x04a01bb0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xf4\\x07\\x00\\x00\\xf4\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00(\\xa0\\x04\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xf8!\\xa0\\x04\\x00\\x00\\x00\\x00\\x94\\x00\\x96\\x00\\x00\\x00\\x00\\x00r\"\\xa0\\x04\\x00\\x00\\x00\\x00\\xe0\\x0f\\xa0\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x08#\\xa0\\x04\\x00\\x00\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\x82#\\xa0\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa2#\\xa0\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8383 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x04a02272" }, { "name": "Size", "value": "0x00000094" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00O\\x00n\\x00e\\x00D\\x00r\\x00i\\x00v\\x00e\\x00\\\\x00O\\x00n\\x00e\\x00D\\x00r\\x00i\\x00v\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00/\\x00b\\x00a\\x00c\\x00k\\x00g\\x00r\\x00o\\x00u\\x00n\\x00d\\x00" } ], "repeated": 0, "id": 8384 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8385 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4944" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 8386 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8387 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8388 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\x85\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8389 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8390 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8391 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5876" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8392 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8393 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5876" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8394 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8395 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5876" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8396 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8397 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8398 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8399 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8400 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 8401 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8402 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8403 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 8404 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8405 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 8406 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8407 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8408 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8409 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 8410 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8411 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8412 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 8413 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8414 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 8415 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5876" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8416 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x475fd00000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2`\\xfb\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\xfb\\xde\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\xfb\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x0f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf8\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xcf8\\xf4}\\x00\\x00\\x00\\x00\\xe3:\\xf5}\\x00\\x00(\\x02\\xe4:\\xf5}\\x00\\x00P\\x06\\xe5:\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xa0\\xfb\\xde\\x01\\x00\\x00" } ], "repeated": 0, "id": 8417 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1defb603270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "f\\x07\\x00\\x00f\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00P>`\\xfb\\xde\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88`\\xfb\\xde\\x01\\x00\\x00\\x98\\x00\\x9a\\x00\\x00\\x00\\x00\\x00\\xf88`\\xfb\\xde\\x01\\x00\\x00\\xf0'`\\xfb\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x929`\\xfb\\xde\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd29`\\xfb\\xde\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd49`\\xfb\\xde\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8418 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1defb6038f8" }, { "name": "Size", "value": "0x00000098" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00P\\x00c\\x00a\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 8419 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8420 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5876" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8421 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8422 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8423 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbe\\x89\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8424 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8425 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8426 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3552" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 8427 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8428 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3552" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 8429 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8430 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3552" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 8431 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8432 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8433 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 8434 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8435 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 8436 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3552" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 8437 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8438 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3552" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 8439 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0xba839c4000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\xcb\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xb0\\x1b\\\\xbc\\xd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbc\\xd5\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\xbc\\xd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x005\"\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x075\"\\xf4\\x7f\\x00\\x00\\x00\\x00I$\\xf5\\x7f\\x00\\x00(\\x02J$\\xf5\\x7f\\x00\\x00P\\x06K$\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x9d\\xbc\\xd5\\x01\\x00\\x00" } ], "repeated": 0, "id": 8440 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1d5bc5c1bb0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "h\\x07\\x00\\x00h\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\\x00\\x08\\x02\\x00\\x00\\x00\\x00`7^\\xbc\\xd5\\x01\\x00\\x00\\xbc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00L\\x00N\\x00\\x00\\x00\\x00\\x00\\xf8!\\\\xbc\\xd5\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00F\"\\\\xbc\\xd5\\x01\\x00\\x00\\x80\\x19\\xa3\\xc4\\xd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01P\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x00\\x10\\xbfb\\xbc\\xd5\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xf6\"\\\\xbc\\xd5\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x16#\\\\xbc\\xd5\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8441 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1d5bc5c2246" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00s\\x00i\\x00l\\x00e\\x00n\\x00t\\x00" } ], "repeated": 0, "id": 8442 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8443 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3552" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 8444 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8445 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8446 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00?\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\xd6\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8447 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8448 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8449 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6200" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8450 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8451 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6200" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8452 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8453 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6200" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8454 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8455 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8456 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 8457 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8458 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 8459 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6200" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8460 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8461 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6200" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8462 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0xc5ca8a5000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x86\\xb1\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x1ct\\xb3~\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\xb3~\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\xb3~\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\x05\\x00\\x00\\x00\\x00\\x00\\xf7\\xa5\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xf7\\xa5\\xf4}\\x00\\x00\\x00\\x00\\x0b\\xa8\\xf5}\\x00\\x00(\\x02\\x0c\\xa8\\xf5}\\x00\\x00P\\x06\r\\xa8\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xc1\\xb3~\\x02\\x00\\x00" } ], "repeated": 0, "id": 8463 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x27eb3741c80" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "V\r\\x00\\x00V\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x08\\x02\\x00\\x00\\x00\\x000.t\\xb3~\\x02\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00\\xc8\"t\\xb3~\\x02\\x00\\x00\\xf2\\x05\\xf4\\x05\\x00\\x00\\x00\\x00D#t\\xb3~\\x02\\x00\\x00\\xe0?}\\xb3~\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x008)t\\xb3~\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xb4)t\\xb3~\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd4)t\\xb3~\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8464 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x27eb3742344" }, { "name": "Size", "value": "0x000005f2" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00g\\x00p\\x00u\\x00-\\x00p\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00-\\x00-\\x00u\\x00s\\x00e\\x00r\\x00-\\x00d\\x00a\\x00t\\x00a\\x00-\\x00d\\x00i\\x00r\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00R\\x00o\\x00a\\x00m\\x00i\\x00" } ], "repeated": 0, "id": 8465 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8466 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6200" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8467 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8468 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8469 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\xe1\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8470 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8471 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8472 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6600" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8473 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8474 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6600" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8475 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8476 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6600" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8477 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8478 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8479 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 8480 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8481 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 8482 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6600" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8483 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8484 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6600" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8485 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x5fb9933000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x86\\xb1\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x1c\\xe0V\\x03\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0V\\x03\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9V\\x03\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x07\\x00\\x00\\x00\\x00M\\xfe\\xf3}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07M\\xfe\\xf3}\\x00\\x00\\x00\\x00a\\x00\\xf5}\\x00\\x00(\\x02b\\x00\\xf5}\\x00\\x00P\\x06c\\x00\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00,W\\x03\\x02\\x00\\x00" } ], "repeated": 0, "id": 8486 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x20356e01c80" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "B\\x12\\x00\\x00B\\x12\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x08\\x02\\x00\\x00\\x00\\x00 3\\xe0V\\x03\\x02\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00\\xc8\"\\xe0V\\x03\\x02\\x00\\x00\\xde\n\\xe0\n\\x00\\x00\\x00\\x00D#\\xe0V\\x03\\x02\\x00\\x00\\x90\\x04%\\xe3\\x03\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81P\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x00\\x00\\x00\\x00\\x90\n\\xe3V\\x03\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xa0.\\xe0V\\x03\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xc0.\\xe0V\\x03\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8487 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x20356e02344" }, { "name": "Size", "value": "0x000007fe" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00r\\x00e\\x00n\\x00d\\x00e\\x00r\\x00e\\x00r\\x00 \\x00-\\x00-\\x00u\\x00s\\x00e\\x00r\\x00-\\x00d\\x00a\\x00t\\x00a\\x00-\\x00d\\x00i\\x00r\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00R\\x00o\\x00a\\x00m\\x00i\\x00n\\x00g\\x00\\\\x00" } ], "repeated": 0, "id": 8488 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8489 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6600" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 8490 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8491 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8492 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0t T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8t T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08u T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x07\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8493 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8494 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8495 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3392" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8496 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8497 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3392" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8498 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8499 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3392" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8500 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8501 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8502 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 8503 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8504 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 8505 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3392" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8506 }, { "timestamp": "2026-05-28 22:01:58,100", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8507 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3392" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8508 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x114344e000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x05\\xd0\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00@\\x1d'\\x9a\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\\x9a\\xfe\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\x9a\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xbf\\xb1\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xbf\\xb1\\xf4\\x7f\\x00\\x00\\x00\\x00\\xd3\\xb3\\xf5\\x7f\\x00\\x00(\\x02\\xd4\\xb3\\xf5\\x7f\\x00\\x00P\\x06\\xd5\\xb3\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00u\\x9a\\xfe\\x01\\x00\\x00" } ], "repeated": 0, "id": 8509 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1fe9a271d40" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xfe\r\\x00\\x00\\xfe\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xb0X3\\x9a\\xfe\\x01\\x00\\x00\\xc8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x88#'\\x9a\\xfe\\x01\\x00\\x00\\x8a\\x06\\x8c\\x06\\x00\\x00\\x00\\x00\\x0c$'\\x9a\\xfe\\x01\\x00\\x00\\xc0\t^\\x9e\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x000\\x9c+\\x9a\\xfe\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\x1c+'\\x9a\\xfe\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00<+'\\x9a\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8510 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1fe9a27240c" }, { "name": "Size", "value": "0x0000068a" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00n\\x00o\\x00c\\x00r\\x00a\\x00s\\x00h\\x00d\\x00i\\x00a\\x00l\\x00o\\x00g\\x00 \\x00\"\\x00-\\x00l\\x00a\\x00n\\x00g\\x00=\\x00e\\x00n\\x00_\\x00U\\x00S\\x00\"\\x00 \\x00\"\\x00-\\x00c\\x00a\\x00c\\x00h\\x00e\\x00d\\x00i\\x00r\\x00=\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00" } ], "repeated": 0, "id": 8511 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8512 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3392" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8513 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8514 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8515 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00Pg$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00xg$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98g$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x008\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa3C\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8516 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8517 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8518 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6908" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" } ], "repeated": 0, "id": 8519 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8520 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6908" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" } ], "repeated": 0, "id": 8521 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8522 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6908" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" } ], "repeated": 0, "id": 8523 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8524 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8525 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00357000" } ], "repeated": 0, "id": 8526 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8527 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00357000" } ], "repeated": 0, "id": 8528 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6908" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" } ], "repeated": 0, "id": 8529 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8530 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6908" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" } ], "repeated": 0, "id": 8531 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x00858000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x009\\x00\\x00\\x00\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00P\\x1a\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xca\\x00\\x00\\x00\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe1Vw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xa6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x7f\\x00\\x00\\x00\\x00(\\x02\\xbd\\x7f\\x00\\x00\\x00\\x00P\\x06\\xbe\\x7f\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x11\\x01\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8532 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x00ca1a50" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xce\\x07\\x00\\x00\\xce\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x80&\\xca\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x00v\\x00\\x00\\x00\\x00\\x00\\x98 \\xca\\x00\\x00\\x00\\x00\\x00\\x94\\x00\\x96\\x00\\x00\\x00\\x00\\x00\\x0e!\\xca\\x00\\x00\\x00\\x00\\x00\\xe0\\x0f\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x00v\\x00\\x00\\x00\\x00\\x00\\xa4!\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1a\"\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1c\"\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8533 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x00ca210e" }, { "name": "Size", "value": "0x00000094" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00C\\x00o\\x00m\\x00m\\x00o\\x00n\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00s\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00/\\x00R\\x00u\\x00n\\x00A\\x00s\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00" } ], "repeated": 0, "id": 8534 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8535 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6908" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe" } ], "repeated": 0, "id": 8536 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8537 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8538 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00Pg$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00xg$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98g$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00G\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdbO\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8539 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8540 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8541 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6448" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8542 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8543 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6448" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8544 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8545 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6448" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8546 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8547 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8548 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 8549 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8550 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 8551 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6448" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8552 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8553 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6448" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8554 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x508750c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x05\\xd0\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1d\\xe0\\xf5\\xca\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xf5\\xca\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbd\\xf5\\xca\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x1f\\x00\\x00\\x00\\x001\\x80\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x071\\x80\\xf4\\x7f\\x00\\x00\\x00\\x00E\\x82\\xf5\\x7f\\x00\\x00(\\x02F\\x82\\xf5\\x7f\\x00\\x00P\\x06G\\x82\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xf0\\xf5\\xca\\x01\\x00\\x00" } ], "repeated": 0, "id": 8555 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1caf5e01dc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\r\\x00\\x00F\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\\x00\\x08\\x02\\x00\\x00\\x00\\x00`/\\xe0\\xf5\\xca\\x01\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x08$\\xe0\\xf5\\xca\\x01\\x00\\x00\\xd2\\x05\\xd4\\x05\\x00\\x00\\x00\\x00\\x8c$\\xe0\\xf5\\xca\\x01\\x00\\x00\\xe0\\x0f\\xe0\\xf5\\xca\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00`*\\xe0\\xf5\\xca\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xe4*\\xe0\\xf5\\xca\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x04+\\xe0\\xf5\\xca\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8556 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1caf5e0248c" }, { "name": "Size", "value": "0x000005d2" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00n\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00" } ], "repeated": 0, "id": 8557 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8558 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6448" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8559 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8560 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8561 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00@m$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00hm$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88m$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00Q\\x00\\x00\\x00\\x00\\x00\\x00\\x00-^\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8562 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8563 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8564 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7632" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8565 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8566 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7632" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8567 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8568 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7632" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8569 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8570 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8571 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 8572 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8573 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 8574 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7632" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8575 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8576 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7632" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8577 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0xbf82824000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x05\\xd0\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00 \\x13sh3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00sh3\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00ch3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\x1f\\x00\\x00\\x00\\xcb\\xaa\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xcb\\xaa\\xf4\\x7f\\x00\\x00\\x00\\x00\\xdf\\xac\\xf5\\x7f\\x00\\x00(\\x02\\xe0\\xac\\xf5\\x7f\\x00\\x00P\\x06\\xe1\\xac\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8578 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x23368731320" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "(\\x0e\\x00\\x00(\\x0e\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff:\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0%sh3\\x02\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00h\\x19sh3\\x02\\x00\\x00t\\x06v\\x06\\x00\\x00\\x00\\x00\\xec\\x19sh3\\x02\\x00\\x00\\x90{zh3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00b sh3\\x02\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00\\xe6 sh3\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00F!sh3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8579 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x233687319ec" }, { "name": "Size", "value": "0x00000674" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00r\\x00e\\x00n\\x00d\\x00e\\x00r\\x00e\\x00r\\x00 \\x00-\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00-\\x00c\\x00h\\x00r\\x00o\\x00m\\x00e\\x00-\\x00r\\x00u\\x00n\\x00t\\x00i\\x00m\\x00e\\x00 \\x00-\\x00-\\x00u\\x00s\\x00e\\x00r\\x00-\\x00d\\x00a\\x00t\\x00a\\x00-\\x00d\\x00i\\x00r\\x00=\\x00\"\\x00C\\x00:\\x00\\\\x00" } ], "repeated": 0, "id": 8580 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8581 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7632" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 8582 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8583 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8584 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\x93$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\x94$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x94$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe5\\x8c\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8585 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8586 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8587 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7988" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8588 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8589 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7988" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8590 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8591 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7988" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8592 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8593 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8594 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8595 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8596 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 8597 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8598 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8599 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 8600 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8601 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 8602 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8603 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8604 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8605 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 8606 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8607 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8608 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 8609 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8610 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 8611 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7988" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8612 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0xe0d39d6000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\x80\\xf5\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\xf5\\xe1\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\xf5\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00?\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\xb5\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x12\\xb5\\xf4}\\x00\\x00\\x00\\x00&\\xb7\\xf5}\\x00\\x00(\\x02'\\xb7\\xf5}\\x00\\x00P\\x06(\\xb7\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xc1\\xf5\\xe1\\x01\\x00\\x00" } ], "repeated": 0, "id": 8613 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1e1f58032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "p\\x07\\x00\\x00p\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xd0>\\x80\\xf5\\xe1\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\x80\\xf5\\xe1\\x01\\x00\\x00\\xa2\\x00\\xa4\\x00\\x00\\x00\\x00\\x00x9\\x80\\xf5\\xe1\\x01\\x00\\x00\\xf0'\\x80\\xf5\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x1c:\\x80\\xf5\\xe1\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\:\\x80\\xf5\\xe1\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00^:\\x80\\xf5\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8614 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x1e1f5803978" }, { "name": "Size", "value": "0x000000a2" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00N\\x00g\\x00c\\x00C\\x00t\\x00n\\x00r\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 8615 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8616 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7988" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 8617 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8618 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8619 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\x93$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\x94$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x94$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\xb9\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8620 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8621 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8622 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" } ], "repeated": 0, "id": 8623 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8624 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" } ], "repeated": 0, "id": 8625 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8626 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8627 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\x93$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\x94$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x94$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x961\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8628 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8629 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8630 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" } ], "repeated": 0, "id": 8631 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8632 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" } ], "repeated": 0, "id": 8633 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8634 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8635 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00015000" } ], "repeated": 0, "id": 8636 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8637 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00015000" } ], "repeated": 0, "id": 8638 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" } ], "repeated": 0, "id": 8639 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8640 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" } ], "repeated": 0, "id": 8641 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x5445cdf000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xce\\xee\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1a\\xb1\\xb3z\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xb3z\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xb3z\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x0f\\x00\\x00\\x00\\x00~\\xeb\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07~\\xeb\\xf4}\\x00\\x00\\x00\\x00\\x92\\xed\\xf5}\\x00\\x00(\\x02\\x93\\xed\\xf5}\\x00\\x00P\\x06\\x94\\xed\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x01\\xb4z\\x01\\x00\\x00" } ], "repeated": 0, "id": 8642 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x17ab3b11ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "p\\x07\\x00\\x00p\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90&\\xb1\\xb3z\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00Z\\x00\\x00\\x00\\x00\\x00\\x08!\\xb1\\xb3z\\x01\\x00\\x00n\\x00p\\x00\\x00\\x00\\x00\\x00b!\\xb1\\xb3z\\x01\\x00\\x00\\xe0\\x0f\\xb1\\xb3z\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00Z\\x00\\x00\\x00\\x00\\x00\\xd2!\\xb1\\xb3z\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00,\"\\xb1\\xb3z\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00.\"\\xb1\\xb3z\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8643 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x17ab3b12162" }, { "name": "Size", "value": "0x0000006e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00F\\x00r\\x00a\\x00m\\x00e\\x00H\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 8644 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8645 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "796" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ApplicationFrameHost.exe" } ], "repeated": 0, "id": 8646 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8647 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8648 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\x93$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\x94$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x94$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x961\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8649 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8650 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8651 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7940" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\notepad.exe" } ], "repeated": 0, "id": 8652 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8653 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7940" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\notepad.exe" } ], "repeated": 0, "id": 8654 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8655 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7940" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\notepad.exe" } ], "repeated": 0, "id": 8656 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8657 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\notepad.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8658 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8659 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\notepad.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8660 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\notepad.exe.mui" } ], "repeated": 0, "id": 8661 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254700000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8662 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8663 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254700000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 8664 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8665 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00038000" } ], "repeated": 0, "id": 8666 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\notepad.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8667 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 8668 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\notepad.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 8669 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\notepad.exe.mui" } ], "repeated": 0, "id": 8670 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254700000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00003000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8671 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8672 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254700000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 8673 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8674 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00038000" } ], "repeated": 0, "id": 8675 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7940" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\notepad.exe" } ], "repeated": 0, "id": 8676 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8677 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7940" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\notepad.exe" } ], "repeated": 0, "id": 8678 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x721b730000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x1a$\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p\\x1cZ\\xec\\x8c\\x01\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00Z\\xec\\x8c\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00?\\xec\\x8c\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\t\\x1f\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\t\\x1f\\xf4}\\x00\\x00\\x00\\x00\\x1d!\\xf5}\\x00\\x00(\\x02\\x1e!\\xf5}\\x00\\x00P\\x06\\x1f!\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x8a\\xec\\x8c\\x01\\x00\\x00" } ], "repeated": 0, "id": 8679 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x18cec5a1c70" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ".\\x07\\x00\\x00.\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00(Z\\xec\\x8c\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb8\"Z\\xec\\x8c\\x01\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\xf8\"Z\\xec\\x8c\\x01\\x00\\x00\\xe0\\x0fZ\\xec\\x8c\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00<#Z\\xec\\x8c\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00|#Z\\xec\\x8c\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x9c#Z\\xec\\x8c\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8680 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "BaseAddress", "value": "0x18cec5a22f8" }, { "name": "Size", "value": "0x00000042" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00n\\x00o\\x00t\\x00e\\x00p\\x00a\\x00d\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00" } ], "repeated": 0, "id": 8681 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8682 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7940" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\notepad.exe" } ], "repeated": 0, "id": 8683 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8684 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8685 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\x93$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\x94$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x94$T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x81\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfdX\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8686 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8687 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8688 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4452" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8689 }, { "timestamp": "2026-05-28 22:01:58,115", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8690 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4452" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8691 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a4" } ], "repeated": 0, "id": 8692 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8693 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xe0\\x93$T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x80\\x94$T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x94$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xb2\\x95$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x95$T\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd0\\x95$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x95$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\x95$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x96$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\xd0\\x94$T\\x92\\x02\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x00\\x00\\x00P\\x95$T\\x92\\x02\\x00\\x00R\\x00R\\x00\\x00\\x00\\x00\\x00`\\x95$T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 8694 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8695 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8696 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 8697 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8698 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 8699 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 8700 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 8701 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8702 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb9\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8703 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 8704 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8705 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8706 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8707 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8708 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8709 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8710 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb9\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8711 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8712 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8713 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8714 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^22" } ], "repeated": 0, "id": 8715 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^22" } ], "repeated": 0, "id": 8716 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8717 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation" } ], "repeated": 0, "id": 8718 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink" } ], "repeated": 0, "id": 8719 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8720 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8721 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8722 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8723 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8724 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8725 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8726 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8727 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8728 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xba\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8729 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8730 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8731 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8732 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^22" } ], "repeated": 0, "id": 8733 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^22" } ], "repeated": 0, "id": 8734 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8735 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation" } ], "repeated": 0, "id": 8736 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink" } ], "repeated": 0, "id": 8737 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8738 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8739 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8740 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 8741 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8742 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8743 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8744 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756c26e8", "parentcaller": "0x7ffc756c279b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xef\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00r\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00l\\x00i\\x00e\\x00n\\x00t\\x00.\\x00C\\x00B\\x00S\\x00_\\x001\\x000\\x000\\x000\\x00.\\x001\\x009\\x000\\x005\\x003\\x00" } ], "repeated": 0, "id": 8745 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8746 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8747 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8748 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8749 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x0000073c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8750 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756c4086", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8751 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756c40c3", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000079c" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\PackageStatus" } ], "repeated": 0, "id": 8752 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc756c40d4", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8753 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 8754 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc730ad469", "parentcaller": "0x7ffc730ad2ee", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 8755 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 5, "id": 8756 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 8757 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 8758 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4452" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8759 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8760 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8761 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x000007a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8762 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8763 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8764 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8765 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8766 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a8" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8767 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\PackageOrigin" } ], "repeated": 0, "id": 8768 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8769 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8770 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 1, "id": 8771 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8772 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x000007a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8773 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8774 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8775 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8776 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8777 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8778 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xb3\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8779 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8780 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8781 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8782 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^22" } ], "repeated": 0, "id": 8783 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^22" } ], "repeated": 0, "id": 8784 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8785 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation" } ], "repeated": 0, "id": 8786 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink" } ], "repeated": 0, "id": 8787 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8788 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8789 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8790 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x000007a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8791 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007a8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8792 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8793 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8794 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8795 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007ac" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8796 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "8913992" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\Flags" } ], "repeated": 0, "id": 8797 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation" } ], "repeated": 0, "id": 8798 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ac" } ], "repeated": 0, "id": 8799 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8800 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8801 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\t\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 8802 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000007a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8803 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000007a4" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 8804 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8805 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a4" } ], "repeated": 0, "id": 8806 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8807 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xb0\\xea\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd8\\xea\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xea\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8808 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8809 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8810 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8811 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8812 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8813 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8814 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007a4" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00 *\\x00\\x00\\x00\\x00\\x00\\xb0\\x1f*\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8815 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007a8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007a4" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8816 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "SectionOffset", "value": "0xf09ddfd6c0" }, { "name": "ViewSize", "value": "0x002a2000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8817 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8818 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8819 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925424c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8820 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925424e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8821 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925424f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8822 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x002a2000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8823 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a4" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4452" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8824 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a4" }, { "name": "BaseAddress", "value": "0xff7a87c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x87\\x8c\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x104\\x00\\x87\\xd4\\x02\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00\\xe6\\x86\\xd4\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe1\\x86\\xd4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x8e\\x9c\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x8e\\x9c\\xf4}\\x00\\x00\\x00\\x00\\xa2\\x9e\\xf5}\\x00\\x00(\\x02\\xa3\\x9e\\xf5}\\x00\\x00P\\x06\\xa4\\x9e\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00@\\x87\\xd4\\x02\\x00\\x00" } ], "repeated": 0, "id": 8825 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a4" }, { "name": "BaseAddress", "value": "0x2d487003410" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ">\t\\x00\\x00>\t\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x80A\\x00\\x87\\xd4\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x82\\x00\\x00\\x00\\x00\\x00X:\\x00\\x87\\xd4\\x02\\x00\\x00\\xa2\\x00\\xa4\\x00\\x00\\x00\\x00\\x00\\xda:\\x00\\x87\\xd4\\x02\\x00\\x00\"\\x01$\\x01\\x00\\x00\\x00\\x00~;\\x00\\x87\\xd4\\x02\\x00\\x00\\xf0'\\x00\\x87\\xd4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\xa2<\\x00\\x87\\xd4\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00J=\\x00\\x87\\xd4\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00L=\\x00\\x87\\xd4\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8826 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a4" }, { "name": "BaseAddress", "value": "0x2d487003b7e" }, { "name": "Size", "value": "0x00000122" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00A\\x00p\\x00p\\x00s\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00C\\x00l\\x00i\\x00e\\x00n\\x00t\\x00.\\x00C\\x00B\\x00S\\x00_\\x00c\\x00w\\x005\\x00n\\x001\\x00h\\x002\\x00t\\x00x\\x00y\\x00e\\x00w\\x00y\\x00\\\\x00T\\x00e\\x00x\\x00t\\x00I\\x00n\\x00p\\x00u\\x00t\\x00H\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00S\\x00e\\x00r\\x00v\\x00e\\x00r\\x00N\\x00a\\x00m\\x00e\\x00:\\x00I\\x00n\\x00p\\x00u\\x00t\\x00A\\x00p\\x00p\\x00.\\x00A\\x00p\\x00p\\x00X\\x00j\\x00d\\x005\\x00d\\x00e\\x001\\x00g\\x006\\x006\\x00v\\x002\\x000\\x006\\x00t\\x00j\\x005\\x002\\x00m\\x009\\x00" } ], "repeated": 0, "id": 8827 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8828 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4452" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8829 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007a4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007a8" } ], "repeated": 0, "id": 8830 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8831 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xc0\\xb0$T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00`\\xb1$T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xb1$T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x92\\xb2$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xb2$T\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xb0\\xb2$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xb2$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd8\\xb2$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xb2$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\xb0\\xb1$T\\x92\\x02\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x00\\x00\\x000\\xb2$T\\x92\\x02\\x00\\x00R\\x00R\\x00\\x00\\x00\\x00\\x00@\\xb2$T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 8832 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a8" } ], "repeated": 0, "id": 8833 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a4" } ], "repeated": 0, "id": 8834 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5212" } ], "repeated": 0, "id": 8835 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5212" } ], "repeated": 0, "id": 8836 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5212" } ], "repeated": 0, "id": 8837 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c291c755", "parentcaller": "0x7ff6c28edda1", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "SystemInformationClass", "value": "88" } ], "repeated": 0, "id": 8838 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "net1.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8839 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0003e000" } ], "repeated": 0, "id": 8840 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "net1.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8841 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0003e000" } ], "repeated": 0, "id": 8842 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc77342cd8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5212" } ], "repeated": 0, "id": 8843 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5212" } ], "repeated": 0, "id": 8844 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0xf09ddfe128" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5212" } ], "repeated": 0, "id": 8845 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 8846 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28d92d8", "parentcaller": "0x00000000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254250000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8847 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 8848 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 8849 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 8850 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 8851 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8852 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e56000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8853 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 8854 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 8855 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 8856 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 8857 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 8858 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 8859 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 8860 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 8861 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 8862 }, { "timestamp": "2026-05-28 22:01:58,131", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 8863 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 8864 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 8865 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 8866 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 8867 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 8868 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 8869 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8870 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "propsys.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8871 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 8872 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8873 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8874 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5956" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8875 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c1397", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8876 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8877 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8878 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8879 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8880 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8881 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c1397", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8882 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8883 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8884 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8885 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 8886 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5152" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8887 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c1397", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8888 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292546c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 8889 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x000c7000" } ], "repeated": 0, "id": 8890 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8891 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8892 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8893 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8894 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8895 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8896 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8897 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\PackageOrigin" } ], "repeated": 0, "id": 8898 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8899 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8900 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 1, "id": 8901 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8902 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8903 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8904 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8905 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8906 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8907 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8908 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xbc\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8909 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8910 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8911 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8912 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^22" } ], "repeated": 0, "id": 8913 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^22" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^22" } ], "repeated": 0, "id": 8914 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8915 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation" } ], "repeated": 0, "id": 8916 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink" } ], "repeated": 0, "id": 8917 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8918 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8919 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8920 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8921 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8922 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy" } ], "repeated": 0, "id": 8923 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "22" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\22" } ], "repeated": 0, "id": 8924 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8925 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\22" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22" } ], "repeated": 0, "id": 8926 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "8913992" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\Flags" } ], "repeated": 0, "id": 8927 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation" } ], "repeated": 0, "id": 8928 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8929 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8930 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8931 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\t\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xf0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 8932 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 8933 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 8934 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8935 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000073c" } ], "repeated": 0, "id": 8936 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8937 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00@\\xe3\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\xe3\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xe3\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8938 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8939 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 8940 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 8941 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 8942 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8943 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8944 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000073c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00 *\\x00\\x00\\x00\\x00\\x00\\xb0\\x1f*\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 8945 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000073c" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 8946 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000079c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "SectionOffset", "value": "0xf09ddfdd40" }, { "name": "ViewSize", "value": "0x002a2000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8947 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8948 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8949 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254255000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8950 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254257000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8951 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x002a2000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 8952 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5796" }, { "name": "ProcessName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe" } ], "repeated": 0, "id": 8953 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000079c" } ], "repeated": 0, "id": 8954 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8955 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xf05%T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00h6%T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x886%T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xd47%T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe87%T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf07%T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x108%T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x88\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\xb86%T\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00@7%T\\x92\\x02\\x00\\x00L\\x00L\\x00\\x00\\x00\\x00\\x00\\x887%T\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00" } ], "repeated": 0, "id": 8956 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8957 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8958 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 8959 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 8960 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 8961 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 8962 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 8963 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8964 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xbb\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00o\\x00f\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8965 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 8966 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 8967 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8968 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8969 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8970 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8971 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8972 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8973 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8974 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin" } ], "repeated": 0, "id": 8975 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8976 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8977 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 1, "id": 8978 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8979 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8980 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8981 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 8982 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 8983 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8984 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 8985 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xb4\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 8986 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 8987 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 8988 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8989 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1a" } ], "repeated": 0, "id": 8990 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1a" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1a" } ], "repeated": 0, "id": 8991 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 8992 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 8993 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink" } ], "repeated": 0, "id": 8994 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 8995 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 8996 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 8997 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 8998 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 8999 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 9000 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1a" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\1a" } ], "repeated": 0, "id": 9001 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9002 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Data\\1a" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a" } ], "repeated": 0, "id": 9003 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "1032" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags" } ], "repeated": 0, "id": 9004 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation" } ], "repeated": 0, "id": 9005 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9006 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9007 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9008 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xf0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 9009 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 9010 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 9011 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9012 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000079c" } ], "repeated": 0, "id": 9013 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 9014 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\xec\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\xed\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xed\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9015 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9016 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9017 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9018 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 9019 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 9020 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9021 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000079c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x000\\x02\\x00\\x00\\x00\\x00\\x000+\\x02\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9022 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000079c" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 9023 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "SectionOffset", "value": "0xf09ddfdd40" }, { "name": "ViewSize", "value": "0x00023000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9024 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9025 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9026 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254258000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9027 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9028 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9029 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 9030 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9031 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423bcb0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources*.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb6359d06" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 9032 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9033 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\LanguageOverlay\\OverlayPackages" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages" } ], "repeated": 0, "id": 9034 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c310", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb7e9eb50" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 9035 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9036 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9037 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9038 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 9039 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" } ], "repeated": 1, "id": 9040 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000079c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9041 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000079c" }, { "name": "HandleName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\xd0:\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9042 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000079c" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri" } ], "repeated": 0, "id": 9043 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "SectionOffset", "value": "0xf09ddfdc00" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9044 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9045 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9046 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423bdd0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FirstCreateTimeLow", "value": "0xb6359d06" }, { "name": "FirstCreateTimeHigh", "value": "0x01da265c" } ], "repeated": 0, "id": 9047 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9048 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 9049 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00023000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 9050 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 9051 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9052 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 9053 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 9054 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 9055 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 9056 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9057 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000079c" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 9058 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin" } ], "repeated": 0, "id": 9059 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9060 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9061 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 1, "id": 9062 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9063 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 9064 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 9065 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 9066 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 9067 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9068 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 9069 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xb6\"T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 9070 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 9071 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 9072 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9073 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1f" } ], "repeated": 0, "id": 9074 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^1f" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1f" } ], "repeated": 0, "id": 9075 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 9076 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 9077 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink" } ], "repeated": 0, "id": 9078 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9079 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9080 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9081 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x0000073c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 9082 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x0000079c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 9083 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy" } ], "repeated": 0, "id": 9084 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1f" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\1f" } ], "repeated": 0, "id": 9085 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9086 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Package\\Data\\1f" }, { "name": "Handle", "value": "0x000007a0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f" } ], "repeated": 0, "id": 9087 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "1032" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags" } ], "repeated": 0, "id": 9088 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation" } ], "repeated": 0, "id": 9089 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007a0" } ], "repeated": 0, "id": 9090 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000079c" } ], "repeated": 0, "id": 9091 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9092 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xf0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 9093 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 9094 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000073c" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig" } ], "repeated": 0, "id": 9095 }, { "timestamp": "2026-05-28 22:01:58,146", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9096 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007b0" } ], "repeated": 0, "id": 9097 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 9098 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xf0\"T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88\\xf0\"T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xf0\"T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9099 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b0" } ], "repeated": 0, "id": 9100 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9101 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9102 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 9103 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 9104 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007b0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9105 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007b0" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9106 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007b4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007b0" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" } ], "repeated": 0, "id": 9107 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007b4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "SectionOffset", "value": "0xf09ddfdd40" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9108 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" } ], "repeated": 0, "id": 9109 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b0" } ], "repeated": 0, "id": 9110 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9111 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9112 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 9113 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9114 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423cbb0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources*.pri" }, { "name": "FirstCreateTimeLow", "value": "0xab7e9afa" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5ace3" } ], "repeated": 0, "id": 9115 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b0" } ], "repeated": 0, "id": 9116 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\LanguageOverlay\\OverlayPackages" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages" } ], "repeated": 0, "id": 9117 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423c2b0", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri" }, { "name": "FirstCreateTimeLow", "value": "0xea4e2414" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acdd" } ], "repeated": 0, "id": 9118 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b0" } ], "repeated": 0, "id": 9119 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 9120 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 9121 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 9122 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" } ], "repeated": 1, "id": 9123 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007b0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9124 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007b0" }, { "name": "HandleName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00h\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9125 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007b0" }, { "name": "FileName", "value": "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri" } ], "repeated": 0, "id": 9126 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000073c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09ddfdc00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9127 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000073c" } ], "repeated": 0, "id": 9128 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b0" } ], "repeated": 0, "id": 9129 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x2925423b950", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" }, { "name": "FirstCreateTimeLow", "value": "0xab7e9afa" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5ace3" } ], "repeated": 0, "id": 9130 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b0" } ], "repeated": 0, "id": 9131 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri" } ], "repeated": 0, "id": 9132 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546c0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 9133 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 9134 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28be774", "parentcaller": "0x7ff6c28d9f92", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-security-systemfunctions-l1-1-0" }, { "name": "BaseAddress", "value": "0x7ffc771e0000" } ], "repeated": 0, "id": 9135 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28be774", "parentcaller": "0x7ff6c28d9f92", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc771e0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-security-systemfunctions-l1-1-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 9136 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28be774", "parentcaller": "0x7ff6c28d9f92", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "SystemFunction036" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc74f91010" } ], "repeated": 0, "id": 9137 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28be774", "parentcaller": "0x7ff6c28d9f92", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74f99000" }, { "name": "ModuleName", "value": "CRYPTBASE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9138 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28be774", "parentcaller": "0x7ff6c28d9f92", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74f99000" }, { "name": "ModuleName", "value": "CRYPTBASE.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9139 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 9140 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 9141 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925425c000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9142 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d7261", "parentcaller": "0x7ff6c28cf291", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000079c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff6c28df680" }, { "name": "Parameter", "value": "0x2924e26cbe0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "8568" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "taskmgr.exe" } ], "repeated": 0, "id": 9143 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d7261", "parentcaller": "0x7ff6c28cf291", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000079c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff6c28df680" }, { "name": "Parameter", "value": "0x2924e26cbe0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "8568" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 9144 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1808", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9145 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e1808", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9146 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76ef60" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 9147 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 9148 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d734a", "parentcaller": "0x7ff6c28cf2ac", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254242a70", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 9149 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 9150 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000104e" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 9151 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xeav\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00m\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x1bNw\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 9152 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000007b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 9153 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0f12", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9154 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e0f12", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9155 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000007b8" }, { "name": "SubKey", "value": "Software\\Microsoft\\CTF\\DirectSwitchHotkeys" }, { "name": "Handle", "value": "0x000007bc" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys" } ], "repeated": 0, "id": 9156 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b8" } ], "repeated": 0, "id": 9157 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d736f", "parentcaller": "0x7ff6c28cf2ac", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x292542431f0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 9158 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x000007bc" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\CTF\\DirectSwitchHotkeys\\" } ], "repeated": 0, "id": 9159 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e13b1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9160 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9161 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76ef60" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 9162 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 9163 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d7587", "parentcaller": "0x7ff6c28cf2ac", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925426a000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9164 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242fe0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AarSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9165 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e143c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9166 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e143c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9167 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292541f0f00", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9168 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242c20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AJRouter" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9169 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9170 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242c20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ALG" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9171 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254236050", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\alg.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9172 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243460", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AppIDSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9173 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542343b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9174 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242f80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Appinfo" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9175 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542204b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9176 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242f80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AppMgmt" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9177 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220780", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9178 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242f80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AppReadiness" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9179 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292541f1860", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k AppReadiness -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9180 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242f80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AppVClient" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9181 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925423cc10", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\AppVClient.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9182 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c29175a4", "parentcaller": "0x7ff6c292a0d2", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254275000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9183 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243b20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AppXSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9184 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd03", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2028", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30652" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9185 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fe80", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k wsappx -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9186 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd03", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f16628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2028" } ], "repeated": 0, "id": 9187 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd03", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1b28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#28" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9188 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd03", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f161c0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1b28" } ], "repeated": 0, "id": 9189 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243bb0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AssignedAccessManagerSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9190 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254254f30", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k AssignedAccessManagerSvc" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9191 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542435b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AudioEndpointBuilder" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9192 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd6e", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2048", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30654" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9193 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd6e", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f1b4a8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2048" } ], "repeated": 0, "id": 9194 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234fb0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9195 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd6e", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1be8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#40" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9196 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcd6e", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f1b040", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1be8" } ], "repeated": 0, "id": 9197 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243bb0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Audiosrv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9198 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234830", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9199 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcdd9", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2038", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30653" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9200 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243580", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "autotimesvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9201 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcdd9", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f18d68", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2038" } ], "repeated": 0, "id": 9202 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcdd9", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1b88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#34" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9203 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcdd9", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f18900", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1b88" } ], "repeated": 0, "id": 9204 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k autoTimeSvc" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9205 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243670", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AxInstSV" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9206 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220d20", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k AxInstSVGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9207 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dce44", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2058", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30655" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9208 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542434c0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BcastDVRUserService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9209 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dce44", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f1e0a0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2058" } ], "repeated": 0, "id": 9210 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dce44", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1c78", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#49" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9211 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dce44", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f1dc38", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1c78" } ], "repeated": 0, "id": 9212 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254254c10", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9213 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243a00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BDESVC" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9214 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9215 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dceaf", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2068", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30656" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9216 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dceaf", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f21a90", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2068" } ], "repeated": 0, "id": 9217 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dceaf", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1d08", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#58" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9218 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dceaf", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f21628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1d08" } ], "repeated": 0, "id": 9219 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243640", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BFE" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9220 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233f30", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetworkFirewall -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9221 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243730", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BITS" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9222 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcf1a", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2028", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30652" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9223 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ef50", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9224 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcf1a", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f16628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2028" } ], "repeated": 0, "id": 9225 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcf1a", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1b28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#28" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9226 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcf1a", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f161c0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1b28" } ], "repeated": 0, "id": 9227 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542434c0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BluetoothUserService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9228 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542554d0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9229 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542434c0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BrokerInfrastructure" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9230 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcf85", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef2078", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30657" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9231 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcf85", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f241f8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef2078" } ], "repeated": 0, "id": 9232 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcf85", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1d68", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#64" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9233 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254254710", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9234 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243a60", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BTAGService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9235 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29253ed53e0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9236 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcff0", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef20e8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#30664" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9237 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcff0", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f26df0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef20e8" } ], "repeated": 0, "id": 9238 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BthAvctpSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9239 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcff0", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1df8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#73" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9240 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28dcff0", "parentcaller": "0x7ff6c28df26d", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f26988", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1df8" } ], "repeated": 0, "id": 9241 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254253a90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9242 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "bthserv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9243 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254254350", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9244 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254277000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9245 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } ], "repeated": 0, "id": 9246 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CaptureService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9247 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9248 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254253810", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9249 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "cbdhsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9250 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007bc" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } ], "repeated": 0, "id": 9251 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9252 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CDPSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9253 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\xa5\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9254 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254254fd0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9255 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 9256 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b8" } ], "repeated": 0, "id": 9257 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CDPUserSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9258 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9259 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } ], "repeated": 0, "id": 9260 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CertPropSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9261 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9262 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ClipSVC" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9263 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421f850", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k wsappx -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9264 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007b8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007bc" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } ], "repeated": 0, "id": 9265 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007b8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9266 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254276830", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k CloudIdServiceGroup -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9267 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "COMSysApp" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9268 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\xa5\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9269 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546d0000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 9270 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b8" } ], "repeated": 0, "id": 9271 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254230100", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 9272 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9273 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ConsentUxUserSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9274 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421f850", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9275 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CoreMessagingRegistrar" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9276 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254275d30", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9277 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CredentialEnrollmentManagerUserSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9278 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254277790", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\CredentialEnrollmentManager.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9279 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CryptSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9280 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254254210", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9281 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CscService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9282 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234bf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9283 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DcomLaunch" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9284 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "dcsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9285 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "defragsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9286 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421f850", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k defragsvc" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9287 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DeviceAssociationBrokerSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9288 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DeviceAssociationService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9289 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9290 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243760", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DeviceInstall" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9291 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windowscodecs.dll" }, { "name": "BaseAddress", "value": "0x7ffc701e0000" } ], "repeated": 0, "id": 9292 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242440", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DevicePickerUserSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9293 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220150", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9294 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242440", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DevicesFlowUserSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9295 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220c00", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9296 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254241d20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DevQueryBroker" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9297 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234fb0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9298 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542427d0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Dhcp" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9299 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9300 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242470", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "diagnosticshub.standardcollector.service" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9301 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542768e0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\DiagSvcs\\DiagnosticsHub.StandardCollector.Service.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9302 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242470", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "diagsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9303 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220e40", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k diagnostics" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9304 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242890", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DiagTrack" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9305 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242890", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DialogBlockingService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9306 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427bcd0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DialogBlockingService" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9307 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242890", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DispBrokerDesktopSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9308 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427c310", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9309 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254242890", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DisplayEnhancementService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9310 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d7682", "parentcaller": "0x7ff6c28d748b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925427d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9311 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254235070", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9312 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d7a43", "parentcaller": "0x7ff6c28d76df", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254280000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9313 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9314 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a0e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DmEnrollmentSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9315 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220c00", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9316 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9317 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220780", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9318 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "18", "pretty_value": "FileAllInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 9319 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Dnscache" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9320 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427c090", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9321 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DoSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9322 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9323 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427b730", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9324 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9325 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "dot3svc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9326 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542345f0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9327 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9328 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DPS" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9329 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 9330 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DsmSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9331 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 9332 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220c90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9333 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9334 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DsSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9335 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9336 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234470", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9337 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9338 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DusmSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9339 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234a70", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9340 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9341 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Eaphost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9342 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fd60", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9343 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "edgeupdate" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9344 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9345 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234770", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\" /svc" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 9346 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9347 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "edgeupdatem" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9348 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542343b0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\" /medsvc" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 9349 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9350 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925420a560", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "EFS" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9351 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9352 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542819e0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\lsass.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9353 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d7729", "parentcaller": "0x7ff6c28d748b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254285000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9354 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9355 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542832c0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "embeddedmode" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9356 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234a70", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9357 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283ad0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "EntAppSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9358 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k appmodel -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9359 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9360 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283320", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "EventLog" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9361 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9362 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9363 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d7729", "parentcaller": "0x7ff6c28d748b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925428a000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9364 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 9365 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428b710", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9366 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9367 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542837a0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Fax" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9368 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254280360", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\fxssvc.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9369 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283710", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "fdPHost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9370 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428b5d0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9371 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9372 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542837a0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "FDResPub" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9373 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9374 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283110", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "fhsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9375 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\xa5\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9376 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234770", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9377 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9378 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283a70", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "FontCache" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9379 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428b350", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9380 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9381 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542831d0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "FrameServer" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9382 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9383 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 9384 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283170", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "GameInputSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9385 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9386 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925422ebf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\GameInputSvc.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9387 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9388 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542839e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "GoogleChromeElevationService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9389 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542334b0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files\\Google\\Chrome\\Application\\148.0.7778.217\\elevation_service.exe\"" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9390 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9391 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542830e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "GoogleUpdaterInternalService149.0.7814.0" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9392 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254226cb0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Google\\GoogleUpdater\\149.0.7814.0\\updater.exe\" --system --windows-service --service=update-internal" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9393 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 9394 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542374d0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Google\\GoogleUpdater\\149.0.7814.0\\updater.exe\" --system --windows-service --service=update" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9395 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254282fc0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "gpsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9396 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9397 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220c90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9398 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9399 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254282fc0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "GraphicsPerfSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9400 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9401 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\xc0\\x00\\x00\\x01\\xc0\\x08\\x06\\x00\\x00\\x005%\\xb8s" }, { "name": "Length", "value": "17" } ], "repeated": 0, "id": 9402 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283590", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "hidserv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9403 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9404 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542345f0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9405 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9406 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542831d0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "HvHost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9407 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542334b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9408 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9409 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\tpHYs" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 9410 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542337b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9411 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": ")\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9412 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254282fc0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "IKEEXT" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9413 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": ")\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 9414 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x0b\\x12\\x00\\x00\\x0b\\x12\\x01\\xd2\\xdd~\\xfc" }, { "name": "Length", "value": "13" } ], "repeated": 0, "id": 9415 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 9416 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c28c14f5", "parentcaller": "0x7ff6c28eeefd", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6ab1a000" }, { "name": "ModuleName", "value": "DUser.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9417 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1496", "caller": "0x7ff6c28c14f5", "parentcaller": "0x7ff6c28eeefd", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6ab1a000" }, { "name": "ModuleName", "value": "DUser.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9418 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x17WIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 9419 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba24f", "parentcaller": "0x7ff6c28b9ff0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253b9f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9420 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba24f", "parentcaller": "0x7ff6c28b9ff0", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9421 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9422 }, { "timestamp": "2026-05-28 22:01:58,162", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 9423 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x17WIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 9424 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "lmhosts" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9425 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542343b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9426 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "LSM" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9427 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9428 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba2000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9429 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542750f0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9430 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "LxpSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9431 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254278210", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9432 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "MapsBroker" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9433 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9434 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254275190", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9435 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "McpManagementService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9436 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9437 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254289290", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k McpManagementServiceGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9438 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x17WIDATx\\x9c\\xed\\xdd-\\x90]E\\x1a\\x06\\xe0\\xcb\\xd6\\xaa\\x8d\\x1d4\\xb1\\xc4N\\xb0\\x8c%:\\xb1\\x89&\\x06\\x01\\x8a*P\\xd9*\\x14\\x08L\\xd0`A\\x13\\x1b\\xecNl\\xc6\\x0e&\\x86\\xb1\\xc1\\xb2\\xf5\\xcer\\xb3!$\\x93\\xf9\\xe9\\xee\\xd3\\xe7~\\xcfSu+(&\\xd3\\xdd9\\xef\\xed>\\xdd_\\xbf\\xf3\\xec\\xd9\\xb3?6\\x00P\\xcc?t8\\x00\\x15\t@\\x00J\\x12\\x80\\x00\\x94$\\x00\\x01(I\\x00\\x02P\\x92\\x00\\x04\\xa0$\\x01\\x08@I\\x02\\x10\\x80\\x92\\x04 \\x00%\t@\\x00J\\x12\\x80\\x00\\x94$\\x00\\x01(I\\x00\\x02P\\x92\\x00\\x04\\xa0$\\x01\\x08@I\\x02\\x10\\x80\\x92\\x04 \\x00%\t@\\x00J\\x12\\x80\\x00\\x94$\\x00\\x01(I\\x00\\x02P\\x92\\x00\\x04\\xa0$\\x01\\x08@I\\x02\\x10\\x80\\x92\\x04 \\x00%\t@\\x00J\\x12\\x80\\x00\\x94$\\x00\\x01(I\\x00\\x02P\\x92\\x00\\x04\\xa0$\\x01\\x08@I\\x02\\x10\\x80\\x92\\x04 \\x00%\t@\\x00J\\x12\\x80\\x00\\x94$\\x00\\x01(I\\x00\\x02P\\x92\\x00\\x04\\xa0$\\x01" }, { "name": "Length", "value": "5120" } ], "repeated": 0, "id": 9439 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421f610", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9440 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "MicrosoftEdgeElevationService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9441 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925422fa80", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\elevation_service.exe\"" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9442 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "MixedRealityOpenXRSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9443 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254235070", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9444 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "mpssvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9445 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542337b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetworkFirewall -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9446 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "MSDTC" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9447 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428e070", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\msdtc.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9448 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "MSiSCSI" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9449 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x14\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9450 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220930", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9451 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "msiserver" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9452 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x14\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9453 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292541d3260", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\msiexec.exe /V" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 9454 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x14\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9455 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "MsKeyboardFilter" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9456 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007bc" }, { "name": "HandleName", "value": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" }, { "name": "Buffer", "value": "\\x1b\\x15\\xdc\\xf7G/\\x19[\\xad6\\xc3d\\xcc;\\x14\\x8f\\x00,\\xae\\xe57\\xe1\\x96\\x0f(xU\\xeb/Xf\\x81\\x08\\xc0\\xe2\\x9e>}\\xda\\xac\\x01\\xcc\\xfe\\xe8\\xad\\xe5\\x18k9\\xf6Y'\\x01X\\\\xcb\\x87\\x80\\xca/\\xf4\\xd6r\\x8c\t@\\x04`ay\\x07\\xd2\\xea\\xf8\\xc3\\xfe\\xfe\\xbe\\xe5O\\xba\\xcb\\x18\\xcbXk!c\\xdf{\\xc0\\xda\\x04`a-\\xdf\\x81\\x98\\xfd1J\\xcb\\xb1\\xe6=`m\\x02\\xb0\\xb0\\xe3\\xe3\\xe3f\\xbf\\xbc\\xf7\\x7f\\x8c\\xd22\\x00[\\xfe\\x1b`}\\x04`a\\xad\\x8e?\\xa4Z\\xbf\\xc3\\xef\\x8c\\x92\\x9b\\xe2[\\xdd\\x10\\xa1\"Lm\\x02\\xb0\\xb0V\\xcb?y \\xc1H\\xad\\xc6\\x9c%\\xd0\\xda\\x04`Q-\\xbf\\xf9z\\xff\\xc7h-\\xc7\\x9cY`]\\x02\\xb0\\xa8\\x96\\xbb\\xdf\\xcc\\x00\\x19\\xad\\xe5\\x98\\xb3\\x13\\xb4.\\x01X\\x94\\x19 kf\\x06H\\x0b\\x02\\xb0\\xa8V\\xdfz\\xcd\\xfeXJ\\xab\\xb1g\\x06X\\x97\\x00,J\\x00\\xb2v\\x02\\x90\\xab\\x12\\x80E\\xb5Z\\xf6q\\xfc\\x81\\xa5\\xb4\\x1a{\\x96@\\xeb\\x12\\x80E\\xfd\\xfe\\xfb\\xef" }, { "name": "Length", "value": "863" } ], "repeated": 0, "id": 9457 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542208a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9458 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "NaturalAuthentication" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9459 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fd60", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9460 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "NcaSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9461 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421f580", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k NetSvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9462 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28b3747", "parentcaller": "0x7ff6c28ba5eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9463 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "NcbService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9464 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9465 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "NcdAutoSetup" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9466 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254289a20", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNoNetwork -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9467 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Netlogon" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9468 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428df50", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\lsass.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9469 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Netman" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9470 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254235070", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9471 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542835f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "netprofm" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9472 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "2155FEE3-2419-4373-B102-6843707EB41F" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "F676C15D-596A-4CE2-8234-33996F445DB1" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 9473 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428cb80", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9474 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" } ], "repeated": 0, "id": 9475 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283d40", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "NetSetupSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9476 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 9477 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 9478 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284100", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "NgcCtnrSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9479 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9480 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 9481 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 9482 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284730", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "NlaSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9483 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9484 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 9485 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428c7c0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9486 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9487 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007b4" } ], "repeated": 0, "id": 9488 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284730", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "OneSyncSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9489 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xdb\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xe0\\x17\\x9e\\xf0\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xc2T\\xbf3\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\n5\\xcfLu\\xc0\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9490 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220930", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9491 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007b8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterMutex" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9492 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" } ], "repeated": 0, "id": 9493 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9494 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283f20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "p2pimsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9495 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9496 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007b4" } ], "repeated": 0, "id": 9497 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xdb\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xe0\\x17\\x9e\\xf0\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xc2T\\xbf3\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\n5\\xcfLu\\xc0\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9498 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428cea0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServicePeerNet" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9499 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateEvent", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007c0" }, { "name": "EventName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterEvent" }, { "name": "EventType", "value": "0" }, { "name": "InitialState", "value": "0" } ], "repeated": 0, "id": 9500 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" } ], "repeated": 0, "id": 9501 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284130", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "p2psvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9502 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9503 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9504 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007b4" } ], "repeated": 0, "id": 9505 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428cea0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServicePeerNet" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9506 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9507 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007c4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_16.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9508 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283fe0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PcaSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9509 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" } ], "repeated": 0, "id": 9510 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9511 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9512 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9513 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007b4" } ], "repeated": 0, "id": 9514 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9515 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007c8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_32.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9516 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283fe0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PeerDistSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9517 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" } ], "repeated": 0, "id": 9518 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9519 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542901a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k PeerDist" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9520 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007bc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9521 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007b4" } ], "repeated": 0, "id": 9522 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254283fe0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "perceptionsimulation" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9523 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9524 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007cc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_48.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9525 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" } ], "repeated": 0, "id": 9526 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254287030", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\PerceptionSimulation\\PerceptionSimulationService.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9527 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 9528 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254292000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9529 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "8568", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254295000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9530 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284fd0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PerfHost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9531 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254280c00", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\SysWow64\\perfhost.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9532 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284d90", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PhoneSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9533 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428b350", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9534 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284fa0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PimIndexMaintenanceSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9535 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542208a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9536 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "8568", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9537 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "8568", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28df680" }, { "name": "Parameter", "value": "0x2924e26cbe0" } ], "repeated": 0, "id": 9538 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542847f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "pla" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9539 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9540 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9541 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9542 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254289c30", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNoNetwork -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9543 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007d8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_96.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9544 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9545 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284eb0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PlugPlay" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9546 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9547 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9548 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9549 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254182650", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9550 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc5f2ae525", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9551 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007dc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_256.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9552 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9553 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285120", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PNRPAutoReg" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9554 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9555 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9556 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9557 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292541825b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServicePeerNet" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9558 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9559 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007e0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_768.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9560 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9561 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9562 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285000", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PNRPsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9563 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9564 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9565 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9566 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292541828d0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServicePeerNet" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9567 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007e4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_1280.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9568 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9569 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9570 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284820", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PolicyAgent" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9571 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9572 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9573 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9574 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542340b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9575 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007e8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_1920.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9576 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9577 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9578 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284bb0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Power" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9579 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9580 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9581 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9582 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254181110", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9583 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007ec" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_2560.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9584 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9585 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9586 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285090", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PrintNotify" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9587 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9588 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9589 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9590 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428fca0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k print" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9591 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007f0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_sr.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9592 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9593 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9594 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285360", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PrintWorkflowUserSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9595 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9596 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9597 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9598 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fa90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k PrintWorkflow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9599 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007f4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9600 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9601 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9602 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284d90", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ProfSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9603 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9604 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9605 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fa90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9606 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9607 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007f8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_exif.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9608 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9609 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542848b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PushToInstall" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9610 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9611 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9612 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9613 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fa90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9614 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9615 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007fc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide_alternate.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9616 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542852d0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "QWAVE" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9617 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9618 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9619 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9620 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9621 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234a70", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9622 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xe2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\x99\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00~P\\xdc\\x81\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9623 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_custom_stream.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9624 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9625 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284d00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "RasAuto" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9626 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9627 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9628 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fd60", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9629 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xe3\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x00m\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00#\\xed\\xc2^\\\\x06\\x00\\x00p\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xf0\\x17\\x9e\\xf0\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\xc0\\xe4\\x17\\x9e\\xf0\\x00\\x00\\x00\\x04\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\xaa._\\xfc\\x7f\\x00\\x00\\xa71+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9630 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!IconCacheInit" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9631 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9632 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284d60", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "RasMan" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9633 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 9634 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428fda0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9635 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\IconCacheToDelete" } ], "repeated": 0, "id": 9636 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285360", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "RemoteRegistry" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9637 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" } ], "repeated": 0, "id": 9638 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254180c10", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k localService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9639 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284c40", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "RetailDemo" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9640 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428f920", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k rdxgroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9641 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9642 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fa90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k RPCSS -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9643 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542847f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "RpcLocator" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9644 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542823a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\locator.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9645 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220db0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k rpcss -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9646 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542847f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SamSs" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9647 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254282160", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\lsass.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9648 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "74" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 9649 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9650 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000804" } ], "repeated": 0, "id": 9651 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 9652 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428a520", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9653 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9654 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000804" } ], "repeated": 0, "id": 9655 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284d00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ScDeviceEnum" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9656 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9657 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29253eae670", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9658 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254284d90", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Schedule" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9659 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 9660 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220db0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9661 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d0" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" } ], "repeated": 0, "id": 9662 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546e0000" }, { "name": "SectionOffset", "value": "0xf09e17e7c0" }, { "name": "ViewSize", "value": "0x00008000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9663 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285b10", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SDRSVC" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9664 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9665 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 9666 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254290220", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k SDRSVC" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9667 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9668 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9669 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\xea\\x0b\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 9670 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285a80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "seclogon" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9671 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000804" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9672 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9673 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 9674 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542208a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9675 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000804" } ], "repeated": 0, "id": 9676 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000007d0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000804" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 9677 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 9678 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542859f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SecurityHealthService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9679 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542901a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\SecurityHealthService.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9680 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285cf0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SEMgrSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9681 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254182010", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9682 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285630", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SENS" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9683 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542200c0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9684 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d77e7", "parentcaller": "0x7ff6c28d748b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254298000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9685 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285d20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Sense" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9686 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254188e00", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe\"" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9687 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285ae0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SensorDataService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9688 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254291110", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\SensorDataService.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9689 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285c30", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SensorService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9690 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542334b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9691 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285d20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SensrSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9692 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542346b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9693 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285ea0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SessionEnv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9694 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fd60", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9695 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 9696 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285d50", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SgrmBroker" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9697 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427f7c0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\SgrmBroker.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9698 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285db0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SharedAccess" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9699 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fd60", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9700 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285ae0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SharedRealitySvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9701 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254181390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9702 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542854b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ShellHWDetection" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9703 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421fa90", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9704 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542853f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "shpamsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9705 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542208a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9706 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285f00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "smphost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9707 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428e820", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k smphost" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9708 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542854e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SmsRouter" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9709 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542334b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9710 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285420", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SNMPTRAP" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9711 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427eec0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\snmptrap.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9712 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285a80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "spectrum" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9713 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427eec0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\spectrum.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9714 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285bd0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Spooler" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9715 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427f040", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\spoolsv.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9716 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542854b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "sppsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9717 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925427ef20", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\sppsvc.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9718 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285630", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SSDPSRV" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9719 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542340b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9720 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542854b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ssh-agent" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9721 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254291b20", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\OpenSSH\\ssh-agent.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9722 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285b70", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SstpSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9723 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925429fec0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9724 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285810", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "StateRepository" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9725 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ff10", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k appmodel -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9726 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285930", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Steam Client Service" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9727 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542345f0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe\" /RunAsService" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 9728 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285bd0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "stisvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9729 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428faa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k imgsvc" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9730 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254286140", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "StorSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9731 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1e88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2326" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9732 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bc4a0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1e88" } ], "repeated": 0, "id": 9733 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234530", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9734 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542a1000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9735 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ea8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2328" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9736 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542868f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "svsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9737 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bcac0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ea8" } ], "repeated": 0, "id": 9738 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254235070", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9739 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542a6000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9740 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542af000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9741 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542863b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "swprv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9742 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542b8000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9743 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542c1000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9744 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428e520", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k swprv" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9745 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1de8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2251" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 9746 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bbde4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1de8" } ], "repeated": 0, "id": 9747 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9748 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542d2000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9749 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254286650", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "SystemEventsBroker" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9750 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542e3000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9751 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925418c2b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9752 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254286920", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TabletInputService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9753 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254235070", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9754 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254286380", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TapiSrv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9755 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925418c990", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9756 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c290b97e", "parentcaller": "0x7ff6c290b938", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 9757 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254286020", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TermService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9758 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k NetworkService" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9759 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254286b30", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Themes" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9760 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220930", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9761 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542860e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TieringEngineService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9762 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925428ea20", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\TieringEngineService.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9763 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254286440", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TimeBrokerSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9764 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234cb0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9765 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254285fc0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TokenBroker" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9766 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9767 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542864a0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TrkWks" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9768 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9769 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29253efd650", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TroubleshootingSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9770 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9771 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542ec000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9772 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d7a43", "parentcaller": "0x7ff6c28d76df", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542f1000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9773 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542ef380", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "TrustedInstaller" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9774 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254291490", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9775 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542ef0b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "tzautoupdate" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9776 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925418bbd0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9777 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542ef320", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UdkUserSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9778 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UdkSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9779 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542f6000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9780 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418eab0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UevAgentService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9781 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254291b20", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\AgentService.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9782 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d795b", "parentcaller": "0x7ff6c28d76df", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542fb000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9783 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418eb10", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UmRdpService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9784 }, { "timestamp": "2026-05-28 22:01:58,178", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9785 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d7aee", "parentcaller": "0x7ff6c28d76df", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542fd000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9786 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418ea80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UnistoreSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9787 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9788 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254300000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9789 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254305000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9790 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418ea50", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "upnphost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9791 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925430e000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9792 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234530", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9793 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418eb10", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UserDataSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9794 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254313000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9795 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9796 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b260", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UserManager" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9797 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9798 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b170", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UsoSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9799 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9800 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b3e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "VacSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9801 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254235070", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9802 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b3e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "VaultSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9803 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292541955c0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\lsass.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9804 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b0e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vds" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9805 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542a10d0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\vds.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9806 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b3e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmicguestinterface" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9807 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234830", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9808 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b170", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmicheartbeat" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9809 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220930", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k ICService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9810 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254318000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9811 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b200", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmickvpexchange" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9812 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9813 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b200", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmicrdv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9814 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c293053a", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925431d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9815 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k ICService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9816 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c29330f9", "parentcaller": "0x7ff6c293072e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925431e000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9817 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925418b200", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmicshutdown" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9818 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542337b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9819 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431cd00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmictimesync" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9820 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542343b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9821 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254323000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9822 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431cd60", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmicvmsession" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9823 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234a70", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9824 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431ce20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "vmicvss" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9825 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234a70", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9826 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431ce20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "VSS" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9827 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292543298f0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\vssvc.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9828 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431ce20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "W32Time" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9829 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9830 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431cd90", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WaaSMedicSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9831 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9832 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925432c000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9833 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431ccd0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WalletService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9834 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k appmodel -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9835 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431cd00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WarpJITSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9836 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254319360", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9837 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431cd00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wbengine" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9838 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292543297d0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Windows\\system32\\wbengine.exe\"" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9839 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431ce20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WbioSrvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9840 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925421ffa0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k WbioSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9841 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925431ce20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Wcmsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9842 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233930", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9843 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254329fd0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wcncsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9844 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234470", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceAndNoImpersonation -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9845 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c2930827", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254331000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9846 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925432a150", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WdiServiceHost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9847 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925418dab0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9848 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925432a0c0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WdiSystemHost" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9849 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234b30", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9850 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925432a1e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WdNisSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9851 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28b50a7", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DPA_GetPtr" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e79840" } ], "repeated": 0, "id": 9852 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925433a000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9853 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925433d000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9854 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542fca10", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files\\Windows Defender\\NisSrv.exe\"" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9855 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254329ee0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WebClient" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9856 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925418e050", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9857 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925432a1e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Wecsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9858 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925418db50", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k NetworkService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9859 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254329ee0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WEPHOSTSVC" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9860 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542200c0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k WepHostSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9861 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925432a1e0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wercplsupport" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9862 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542200c0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9863 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254329f40", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WerSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9864 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542200c0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9865 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254342f50", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WFDSConMgrSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9866 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542334b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9867 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254342fe0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WiaRpc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9868 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542337b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9869 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254343070", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WinDefend" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9870 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254346000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9871 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542fc810", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files\\Windows Defender\\MsMpEng.exe\"" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9872 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "RegionSize", "value": "0x00400000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9873 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546f0000" }, { "name": "RegionSize", "value": "0x0000a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9874 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254342ef0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WinHttpAutoProxySvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9875 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254234b30", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9876 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254342ef0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "Winmgmt" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9877 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220930", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9878 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254342d70", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WinRM" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9879 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2925418d6f0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9880 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254343070", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wisvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9881 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220150", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9882 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254343070", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WlanSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9883 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542337b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9884 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254343070", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wlidsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9885 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220150", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9886 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9910", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wlpasvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9887 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9888 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546fa000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9889 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f98b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WManSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9890 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220150", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9891 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9910", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wmiApSrv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9892 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542faf80", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\wbem\\WmiApSrv.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9893 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9a30", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WMPNetworkSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9894 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542fce10", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files\\Windows Media Player\\wmpnetwk.exe\"" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9895 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9910", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "workfolderssvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9896 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292543476d0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9897 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9b20", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WpcMonSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9898 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9899 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9940", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WPDBusEnum" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9900 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292543411b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9901 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9a00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WpnService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9902 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c293071a", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254703000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9903 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9904 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9a90", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WpnUserService" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9905 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9906 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c29155ca", "parentcaller": "0x7ff6c2915b99", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925470c000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9907 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292546f9a90", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wscsvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9908 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292542343b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9909 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254711000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9910 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254722000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9911 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701c70", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WSearch" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9912 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\SearchIndexer.exe /Embedding" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 9913 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701c40", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "wuauserv" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9914 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9915 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701c40", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WwanSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9916 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254233cf0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9917 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701c10", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "XblAuthManager" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9918 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254733000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9919 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220930", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9920 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701e80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "XblGameSave" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9921 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9922 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701e80", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "XboxGipSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9923 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9924 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701c40", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "XboxNetApiSvc" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9925 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220270", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9926 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254701c40", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "AarSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9927 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254347630", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9928 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e620", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BcastDVRUserService_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9929 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254347770", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9930 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e800", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "BluetoothUserService_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9931 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254347770", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k BthAppGroup -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9932 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e6b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CaptureService_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9933 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292543478b0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k LocalService -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9934 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e800", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "cbdhsvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9935 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292547362a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9936 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e800", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CDPUserSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9937 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9938 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e710", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "ConsentUxUserSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9939 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9940 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c293053a", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254738000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9941 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c29330f9", "parentcaller": "0x7ff6c293072e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254739000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9942 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e710", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "CredentialEnrollmentManagerUserSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9943 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254730630", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\CredentialEnrollmentManager.exe" }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 9944 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e920", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DeviceAssociationBrokerSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9945 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x292547367a0", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p" }, { "name": "NumArgs", "value": "4" } ], "repeated": 0, "id": 9946 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e860", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DevicePickerUserSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9947 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254745000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9948 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254740a40", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9949 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925474e000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9950 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e920", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "DevicesFlowUserSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9951 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9952 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e860", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "MessagingService_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9953 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9954 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e860", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "OneSyncSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9955 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9956 }, { "timestamp": "2026-05-28 22:01:58,193", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e860", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PimIndexMaintenanceSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9957 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254757000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9958 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c293071a", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254760000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9959 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9960 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x2925434e860", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "PrintWorkflowUserSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9961 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k PrintWorkflow" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9962 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254737f50", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UdkUserSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9963 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UdkSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9964 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254737ef0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UnistoreSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9965 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\System32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9966 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254737fe0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "UserDataSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9967 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9968 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d760f", "parentcaller": "0x7ff6c28d748b", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254737e00", "arguments": [ { "name": "ServiceControlManager", "value": "0x292542431f0" }, { "name": "ServiceName", "value": "WpnUserService_2cd62" }, { "name": "DesiredAccess", "value": "0x00000005", "pretty_value": "SERVICE_QUERY_CONFIG|SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 9969 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28d790a", "parentcaller": "0x7ff6c28d76df", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x29254220390", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" }, { "name": "NumArgs", "value": "3" } ], "repeated": 0, "id": 9970 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "5448", "caller": "0x7ff6c28cf3b2", "parentcaller": "0x7ff6c28bca0d", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254765700", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 9971 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" } ], "repeated": 0, "id": 9972 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 9973 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9974 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 9975 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 9976 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9977 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 9978 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 9979 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254772000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9980 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925477b000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9981 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 9982 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9983 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 9984 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 9985 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9986 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 9987 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 9988 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 9989 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9990 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c29155ca", "parentcaller": "0x7ff6c2915b99", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254780000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9991 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 9992 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 9993 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 9994 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 9995 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 9996 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 9997 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 9998 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 9999 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10000 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10001 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10002 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10003 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10004 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10005 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10006 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10007 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10008 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10009 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10010 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10011 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10012 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10013 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10014 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10015 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10016 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10017 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10018 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10019 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10020 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10021 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10022 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10023 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10024 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10025 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10026 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10027 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10028 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10029 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10030 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10031 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10032 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10033 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10034 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10035 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10036 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10037 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10038 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10039 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10040 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10041 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10042 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10043 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10044 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10045 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10046 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10047 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10048 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10049 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10050 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10051 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10052 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10053 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10054 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10055 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10056 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10057 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10058 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10059 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10060 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10061 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10062 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254785000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10063 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10064 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10065 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10066 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10067 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10068 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10069 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10070 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10071 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10072 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10073 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10074 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10075 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10076 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10077 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10078 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10079 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10080 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10081 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10082 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10083 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10084 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10085 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10086 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10087 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10088 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10089 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10090 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10091 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10092 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10093 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10094 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10095 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10096 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10097 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10098 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10099 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10100 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10101 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10102 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10103 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10104 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10105 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10106 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c2931323", "parentcaller": "0x7ff6c2930854", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925478e000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10107 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10108 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10109 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10110 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10111 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10112 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10113 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10114 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10115 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10116 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10117 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10118 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10119 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10120 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10121 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10122 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10123 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10124 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10125 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10126 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925479f000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10127 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10128 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10129 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10130 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10131 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292547b0000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10132 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10133 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10134 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10135 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10136 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10137 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10138 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10139 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10140 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10141 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10142 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10143 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10144 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10145 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10146 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10147 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10148 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00@]%T\\x92\\x02\\x00\\x00X\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 10149 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10150 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10151 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10152 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10153 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10154 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10155 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\xe8\\xe9\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 10156 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10157 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10158 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10159 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10160 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10161 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10162 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10163 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xe6\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x84\\xd93\\xfc\\x7f\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10164 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10165 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10166 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10167 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10168 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10169 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000808" } ], "repeated": 0, "id": 10170 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xe6\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h8\\xfc\\x7f\\x00\\x00\\x10\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81|\\xd93\\xfc\\x7f\\x00\\x00(\\x8b\\xd93\\xfc\\x7f\\x00\\x00\\x10\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00\\x10\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10171 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10172 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10173 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28cd485", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292547b9000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10174 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10175 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10176 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1496", "caller": "0x7ff6c28cd485", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292547ca000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10177 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10178 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000610" } ], "repeated": 0, "id": 10179 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xe6\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00X8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10180 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10181 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10182 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10183 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10184 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10185 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10186 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xe6\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h8\\xfc\\x7f\\x00\\x00\\x08\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81|\\xd93\\xfc\\x7f\\x00\\x00(\\x8b\\xd93\\xfc\\x7f\\x00\\x00\\x08\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00\\x08\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10187 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10188 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10189 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 10190 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 10191 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10192 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "74" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 10193 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10194 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000610" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" } ], "repeated": 0, "id": 10195 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 10196 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000080c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10197 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 10198 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xe7\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x92\\x02\\x00\\x00\\x90\\x84\\xd93\\xfc\\x7f\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x03)T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10199 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10200 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 10201 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10202 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10203 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10204 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000080c" } ], "repeated": 0, "id": 10205 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xe7\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xd0\\xe7\\x17\\x9e\\xf0\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\r\\xecP\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x03)T\\x92\\x02\\x00\\x00:\\x04\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10206 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10207 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10208 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10209 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 10210 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000808" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254af0000" }, { "name": "SectionOffset", "value": "0xf09e17e740" }, { "name": "ViewSize", "value": "0x00100000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10211 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000610" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000007d4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 10212 }, { "timestamp": "2026-05-28 22:01:58,209", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10213 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10214 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10215 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10216 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10217 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10218 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10219 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10220 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10221 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10222 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000814" } ], "repeated": 0, "id": 10223 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xea\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\xea\\x0b\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10224 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10225 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10226 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10227 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10228 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10229 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000081c" } ], "repeated": 0, "id": 10230 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xab._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10231 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10232 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10233 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10234 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10235 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10236 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10237 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10238 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10239 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10240 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10241 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c29155ca", "parentcaller": "0x7ff6c2915b99", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292547eb000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10242 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10243 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ntoskrnl.exe" } ], "repeated": 1, "id": 10244 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\ntoskrnl.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10245 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\ntoskrnl.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10246 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c29330f9", "parentcaller": "0x7ff6c293072e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292547f4000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10247 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x01046000" } ], "repeated": 0, "id": 10248 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10249 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10250 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10251 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10252 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000081c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10253 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000814" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10254 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10255 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SystemResources\\imageres.dll.mui.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10256 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10257 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925480e000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10258 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000814" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10259 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925481f000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10260 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10261 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10262 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254828000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10263 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10264 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10265 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10266 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10267 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10268 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10269 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10270 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10271 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10272 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10273 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10274 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000814" } ], "repeated": 0, "id": 10275 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10276 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10277 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10278 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10279 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10280 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10281 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000640" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10282 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10283 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10284 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10285 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10286 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10287 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10288 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254831000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10289 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\csrss.exe" } ], "repeated": 1, "id": 10290 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\csrss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10291 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\csrss.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10292 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 10293 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10294 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10295 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10296 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10297 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000640" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000820" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10298 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000640" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10299 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10300 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000640" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10301 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000640" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10302 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10303 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10304 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10305 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10306 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10307 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10308 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10309 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10310 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10311 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10312 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10313 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10314 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10315 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000640" } ], "repeated": 0, "id": 10316 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10317 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10318 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10319 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10320 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10321 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10322 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000640" } ], "repeated": 0, "id": 10323 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x009\\x00c\\x002\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xee\\x17\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 10324 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!049c28" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10325 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10326 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10327 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10328 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10329 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10330 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000820" } ], "repeated": 0, "id": 10331 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00H\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00(\\x9c\\xb3T\\x92\\x02\\x00\\x00\\x80\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\xd0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10332 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10333 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10334 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10335 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10336 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10337 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c2931bb1", "parentcaller": "0x7ff6c293307d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254842000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10338 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10339 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000640" } ], "repeated": 0, "id": 10340 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10341 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10342 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10343 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10344 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10345 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10346 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10347 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000824" } ], "repeated": 0, "id": 10348 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10349 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10350 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10351 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10352 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10353 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 1, "id": 10354 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\fontdrvhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10355 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\fontdrvhost.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10356 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d1000" } ], "repeated": 0, "id": 10357 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10358 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10359 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10360 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000640" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10361 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c28cd485", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254847000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10362 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000640" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10363 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10364 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10365 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10366 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000818" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10367 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10368 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10369 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10370 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10371 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10372 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10373 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10374 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10375 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10376 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10377 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10378 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10379 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254868000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10380 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c293096e", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254871000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10381 }, { "timestamp": "2026-05-28 22:01:58,225", "thread_id": "1496", "caller": "0x7ff6c2930827", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254876000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10382 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254887000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10383 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c292fc86", "parentcaller": "0x7ff6c292ea1e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925488c000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10384 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925489d000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10385 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000640" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10386 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10387 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00@K\\x1cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10388 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10389 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10390 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10391 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10392 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000640" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10393 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10394 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x006\\x00a\\x00c\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xee\\x17\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 10395 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!046ac8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10396 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10397 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10398 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10399 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10400 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10401 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000640" } ], "repeated": 0, "id": 10402 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00H\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\xc8j\\xb3T\\x92\\x02\\x00\\x00\\x80\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\xd0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10403 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10404 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10405 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10406 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10407 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10408 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292548ae000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10409 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10410 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10411 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10412 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10413 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10414 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10415 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10416 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10417 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000081c" } ], "repeated": 0, "id": 10418 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x00a\\x001\\x001\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xee\\x17\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 10419 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04a118" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10420 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10421 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10422 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10423 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10424 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10425 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000820" } ], "repeated": 0, "id": 10426 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00H\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\x18\\xa1\\xb3T\\x92\\x02\\x00\\x00\\x80\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\xd0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10427 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10428 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10429 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10430 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10431 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10432 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10433 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000081c" } ], "repeated": 0, "id": 10434 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10435 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10436 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10437 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10438 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10439 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10440 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10441 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000814" } ], "repeated": 0, "id": 10442 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10443 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10444 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10445 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10446 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10447 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\sihost.exe" } ], "repeated": 1, "id": 10448 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\sihost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10449 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\sihost.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10450 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00021000" } ], "repeated": 0, "id": 10451 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10452 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10453 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10454 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10455 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000081c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10456 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10457 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10458 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10459 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c291770c", "parentcaller": "0x7ff6c28ec70f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292548bf000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10460 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000824" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10461 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c291770c", "parentcaller": "0x7ff6c28ec70f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292548cd000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10462 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000814" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10463 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10464 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10465 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10466 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10467 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10468 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10469 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10470 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10471 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10472 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10473 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10474 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c291770c", "parentcaller": "0x7ff6c28ec70f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292548df000" }, { "name": "RegionSize", "value": "0x00024000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10475 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1496", "caller": "0x7ff6c291770c", "parentcaller": "0x7ff6c28ec70f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254903000" }, { "name": "RegionSize", "value": "0x00047000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10476 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10477 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000824" } ], "repeated": 0, "id": 10478 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10479 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10480 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10481 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10482 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10483 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10484 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10485 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000081c" } ], "repeated": 0, "id": 10486 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10487 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10488 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10489 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10490 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10491 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 1, "id": 10492 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\taskhostw.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10493 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\taskhostw.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10494 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 10495 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10496 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10497 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10498 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10499 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000824" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10500 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10501 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10502 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10503 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000818" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10504 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000081c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10505 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10506 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10507 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10508 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10509 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10510 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10511 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10512 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10513 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10514 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10515 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10516 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10517 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000820" } ], "repeated": 0, "id": 10518 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10519 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10520 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10521 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10522 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10523 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10524 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000820" } ], "repeated": 0, "id": 10525 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x00b\\x004\\x00d\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xee\\x17\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 10526 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04b4d8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10527 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10528 }, { "timestamp": "2026-05-28 22:01:58,240", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10529 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10530 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10531 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10532 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000814" } ], "repeated": 0, "id": 10533 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00H\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\xd8\\xb4\\xb3T\\x92\\x02\\x00\\x00\\x80\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\xd0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10534 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10535 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10536 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10537 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10538 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000080c" } ], "repeated": 0, "id": 10539 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\smalllogo.scale-100.png" } ], "repeated": 0, "id": 10540 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\smalllogo.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10541 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000820" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } ], "repeated": 0, "id": 10542 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10543 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10544 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 10545 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10546 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10547 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\smalllogo.scale-100.png" } ], "repeated": 0, "id": 10548 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\smalllogo.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10549 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000820" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } ], "repeated": 0, "id": 10550 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000824" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10551 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10552 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 10553 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000824" } ], "repeated": 0, "id": 10554 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10555 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10556 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\smalllogo.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10557 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "18", "pretty_value": "FileAllInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 10558 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 3, "id": 10559 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 10560 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 17, "id": 10561 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10562 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10563 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10564 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10565 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10566 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10567 }, { "timestamp": "2026-05-28 22:01:58,256", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x10\\x08\\x06\\x00\\x00\\x00\\x1f\\xf3\\xffa" }, { "name": "Length", "value": "17" } ], "repeated": 0, "id": 10568 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10569 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1496", "caller": "0x7ff6c291770c", "parentcaller": "0x7ff6c28ec70f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925494a000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10570 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 10571 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\tpHYs" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10572 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": ")\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10573 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x0b\\x13\\x00\\x00\\x0b\\x13\\x01\\x00\\x9a\\x9c\\x18" }, { "name": "Length", "value": "13" } ], "repeated": 0, "id": 10574 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10575 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00fIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10576 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10577 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00fIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10578 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10579 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00fIDAT8\\xcb\\xc5\\x93Q\n\\xc00\\x08CM\\xf1`;\\xfan\\x96\\xfd\\xe8h\\xc7Z\\xb4\\xc2\\xe6O\\x83\\xd0\\xe4\\x89\\x08\\x92R\\xa9&\\xc5R{\\xa3\\x18g\\xa7\\x0f\\x11\\x01l\\x84\\xdd9\\xa0\\xb7\\x02\\x90\\xf9IK\\xd6\\xb7\\xe6\\x10\\x01\\xc0\\xfb\\xae\\xfb0\rq.\\xe8Z\\x14\\x97\\x93}\\xa7\t\\x9e4\\xdf\\x13,\r\\xb2\\xab\\x1c\\x0c\\xb8y\\x14n\\x80\\xdf\\x8e\\xa9lp\\x01\\x93\\x9c-,\\xb2\\x1eQ\\xec\\x00\\x00\\x00\\x00IEND" }, { "name": "Length", "value": "122" } ], "repeated": 0, "id": 10580 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28b3747", "parentcaller": "0x7ff6c28ba5eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10581 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10582 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10583 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10584 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10585 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10586 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10587 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10588 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10589 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10590 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000814" } ], "repeated": 0, "id": 10591 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10592 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10593 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10594 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10595 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10596 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe" } ], "repeated": 1, "id": 10597 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\tiworker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10598 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\SystemResources\\tiworker.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10599 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00044000" } ], "repeated": 0, "id": 10600 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10601 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10602 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10603 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10604 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000810" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10605 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000814" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10606 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10607 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10608 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000814" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10609 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10610 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10611 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10612 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10613 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10614 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10615 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10616 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10617 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10618 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10619 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10620 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10621 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } ], "repeated": 0, "id": 10622 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10623 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000814" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } ], "repeated": 0, "id": 10624 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10625 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10626 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 10627 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10628 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10629 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } ], "repeated": 0, "id": 10630 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10631 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000814" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } ], "repeated": 0, "id": 10632 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10633 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10634 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 10635 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10636 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10637 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10638 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10639 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "18", "pretty_value": "FileAllInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 10640 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 3, "id": 10641 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 10642 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 17, "id": 10643 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10644 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10645 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10646 }, { "timestamp": "2026-05-28 22:01:58,271", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10647 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10648 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10649 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00,\\x00\\x00\\x00,\\x08\\x06\\x00\\x00\\x00\\x1e\\x84Z\\x01" }, { "name": "Length", "value": "17" } ], "repeated": 0, "id": 10650 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10651 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x9aIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10652 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 10653 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1496", "caller": "0x7ff6c291770c", "parentcaller": "0x7ff6c28ec70f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292548bd000" }, { "name": "RegionSize", "value": "0x0008b000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 10654 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1496", "caller": "0x7ff6c291770c", "parentcaller": "0x7ff6c28ec70f", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925495d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 10655 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10656 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x9aIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10657 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10658 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x9aIDATx\\xda\\xec\\x981N\\xc40\\x10E7\\x08\tQ\\xd1\\xd2\\xa5\\xe6\\x06\\x14.h8\\xc1\\x16i(8\\x82\\x0fD\\xc1\\x05V>\\x00\r7HICC\\x05]D\\xb3\\x80V\\xb2\\x99H\\x13idH2\\xd9\\x8c\\xd7\\x0ex\\xa4/K^\\xfb\\xfb9\\xeb\\xd8\\xe3\\x14\\xce\\xb9\\xd5\\x92\\xe2h\\xb5\\xb0\\xc8\\xc0\\x198\\x03\\xf7\\x87\\x02\\x19P\\x03\\xb2 \\x87\\xb2Xg\\xb0\\xcd\\xb4h\\xb75a\\x95\\xa0\\xda\\xf1\\xa3\\xc6>,\\x7fi\\xd8\n\\xb4#0\r\\xe8\\x0e\\xa4H\\x1b\\x85u\ri\\xb7\\xc3\\xbe\\x07\\x05n\\x07\\xb4\\x04@3\\xfah2A\\xcb\\x81\\x96\\\\x06\\xdd\\xc0\\xdb)\\x7f1\\xb6\\xdd\\x92\\x89\\x96\\x87\\x00\\xae\\xb9\\x032&\\\\x87\\x06Vd-\\xea\\x19>\\x9a\\xf8\\xa8\\x90\\xc0\\x86\\xbc`s\\xbd\\xba\\x17\\xd1\\xf4\\xb5\\x91\\xd8\\x87\\xaf\\xb0\\xdc\\x08xm<\\xcf \\x07\\xc7\\x19\\x96\\xf7\\x02^\\x0f\\x9e\\xe7\\x8f(\\x04\\xf2\\xe1\\xce\\xa0\\x10:!\\x07\\xfd\\xfee.\\xe1H\\xee07*\\xcf3\\x08\\xf0;\\x96\\xb7\\x02^\\xd7\\x9eg\\x10\\xe0" }, { "name": "Length", "value": "430" } ], "repeated": 0, "id": 10659 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925495d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10660 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28b3747", "parentcaller": "0x7ff6c28ba5eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10661 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10662 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000810" } ], "repeated": 0, "id": 10663 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x89\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10664 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10665 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10666 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10667 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10668 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10669 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10670 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000818" } ], "repeated": 0, "id": 10671 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10672 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10673 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10674 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10675 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10676 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\runtimebroker.exe" } ], "repeated": 1, "id": 10677 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\runtimebroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10678 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\runtimebroker.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10679 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 10680 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10681 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10682 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10683 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10684 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000810" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10685 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000820" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10686 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10687 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10688 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000820" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10689 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10690 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10691 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10692 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10693 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10694 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10695 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10696 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10697 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10698 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10699 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10700 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10701 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292548bd000" }, { "name": "RegionSize", "value": "0x0008b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10702 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000810" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 10703 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000810" }, { "name": "SubKey", "value": "Segoe MDL2 Assets" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe MDL2 Assets" } ], "repeated": 0, "id": 10704 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10705 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10706 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000820" } ], "repeated": 0, "id": 10707 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8a\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10708 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10709 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10710 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10711 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10712 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10713 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000820" } ], "repeated": 0, "id": 10714 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x008\\x00d\\x005\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xee\\x17\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 10715 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!048d58" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10716 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10717 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10718 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10719 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10720 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10721 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000810" } ], "repeated": 0, "id": 10722 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00H\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00X\\x8d\\xb3T\\x92\\x02\\x00\\x00\\x80\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\xd0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10723 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10724 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10725 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10726 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10727 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10728 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10729 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000814" } ], "repeated": 0, "id": 10730 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10731 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10732 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10733 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10734 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10735 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10736 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10737 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000820" } ], "repeated": 0, "id": 10738 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\t\\xcfLu\\xc0\\x00\\x00\\xe8p%T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 10739 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10740 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10741 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10742 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10743 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\applicationframehost.exe" } ], "repeated": 1, "id": 10744 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\applicationframehost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10745 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\applicationframehost.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10746 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00015000" } ], "repeated": 0, "id": 10747 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 10748 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 10749 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 10750 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10751 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000814" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 10752 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000810" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "SectionOffset", "value": "0xf09e17cbc0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10753 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10754 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10755 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000810" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 10756 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000820" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "SectionOffset", "value": "0xf09e17cb70" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10757 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10758 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c32e40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10759 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca6950", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c32e40" } ], "repeated": 0, "id": 10760 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c28940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 10761 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10762 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca64e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c28940" } ], "repeated": 0, "id": 10763 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 10764 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10765 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 10766 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10767 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 10768 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10769 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000810" } ], "repeated": 0, "id": 10770 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xb0\\xf2\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10771 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10772 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10773 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10774 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10775 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000814" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10776 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000810" } ], "repeated": 0, "id": 10777 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xec\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x009\\x002\\x004\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xee\\x17\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 10778 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!049248" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10779 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10780 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10781 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000610" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10782 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10783 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000820" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 10784 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000814" } ], "repeated": 0, "id": 10785 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00H\\xef\\x17\\x9e\\xf0\\x00\\x00\\x00H\\x92\\xb3T\\x92\\x02\\x00\\x00\\x80\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\xd0\\xed\\x17\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10786 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 10787 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000814" } ], "repeated": 0, "id": 10788 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000820" } ], "repeated": 0, "id": 10789 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10790 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28c5ec9", "parentcaller": "0x7ff6c28c5b55", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10791 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } ], "repeated": 0, "id": 10792 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000640" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10793 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000810" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000640" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } ], "repeated": 0, "id": 10794 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000810" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10795 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000640" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00}\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10796 }, { "timestamp": "2026-05-28 22:01:58,287", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 10797 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000810" } ], "repeated": 0, "id": 10798 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10799 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } ], "repeated": 0, "id": 10800 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10801 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000081c" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } ], "repeated": 0, "id": 10802 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000818" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "SectionOffset", "value": "0xf09e17ed00" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10803 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00}\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10804 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 10805 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 10806 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000081c" } ], "repeated": 0, "id": 10807 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 10808 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10809 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "18", "pretty_value": "FileAllInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 10810 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 3, "id": 10811 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 10812 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 17, "id": 10813 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00}\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10814 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10815 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10816 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10817 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10818 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10819 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00,\\x00\\x00\\x00,\\x08\\x06\\x00\\x00\\x00\\x1e\\x84Z\\x01" }, { "name": "Length", "value": "17" } ], "repeated": 0, "id": 10820 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10821 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04gAMA" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10822 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": ")\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10823 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\xb1\\x8f\\x0b\\xfca\\x05" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10824 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "1\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10825 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\tpHYs" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10826 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "9\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10827 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x0e\\xc3\\x00\\x00\\x0e\\xc3\\x01\\xc7o\\xa8d" }, { "name": "Length", "value": "13" } ], "repeated": 0, "id": 10828 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "F\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10829 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x1fIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 10830 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "F\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 10831 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" }, { "name": "Handle", "value": "0x00000640" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback" } ], "repeated": 0, "id": 10832 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "F\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 10833 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000640" }, { "name": "SubKey", "value": "Segoe UI" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI" } ], "repeated": 0, "id": 10834 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000640" } ], "repeated": 0, "id": 10835 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "F\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 10836 }, { "timestamp": "2026-05-28 22:01:58,303", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000081c" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x1fIDATXG\\xed\\x96\\x0b\r\\xc2@\\x10D+\\xa0\\x060P\\x03\\xf8@\\x01\\x0ep\\x80\\x05,\\xa0\\xa1&p\\x81\\x98\\x96\\x99\\xcd\\x1c\\xa1\r\\x04r\\xedBH\\xe6%\\x9b\\xfd\\ovs\\Z\\x1ac\\x8c1\\xc6\\x98o0\\x0c\\xc3f\\x1c\\xc7m\\x96A\\xbfS\\xabe@\\xac\\x85\\xd8\\x05>\\x1d\\xf4\\xb9\\xf2`\\xd4\\xba\\x0e\\x08\\xec\\x1f\\xc4\\xfaD\\x8bC\\x81?\\xa8u\\x1d\\x14XE\\xe8\rh\\xc1\\xab\\xc1>\\xbdJu\\xcc\\x07\\x86\\xdf1\\x86\\xc5O\\xa7\\xb8\\xacm\\x94\\xef\\x98s\\x08\\xe6\\xf4Z\\x7f\\xb9\\x97\\xcf\\xa8\\xcf\\xea\\x03\\xf7\\xccA\\x0c\\xa1xT\\x1d\\xf4\\xb9\\xf2`\\xd4\\xba\\x0e\\x08\\xec\\x1f\\xc4\\xfaD\\x8bC\\x81?\\xa8u\\x1d\\x14XE\\xe8\rh\\xc1\\xab\\xc1>\\xbdJu\\xcc\\x07\\x86\\xdf1\\x86\\xc5O\\xa7\\xb8\\xacm\\x94\\xef\\x98s\\x08\\xe6\\xf4Z\\x7f\\xb9\\x97\\xcf\\xa8\\xcf\\xea\\x03\\xf7\\xccA\\x0c\\xa1xT]\\xd5\\xe9\\x00K\\xa6\\xbd\\xff4\\xffQeH\\xff\\xff\\xff\\xff" }, { "name": "OutputBuffer", "value": "E\\x81\\xbc\\xa3mN\\xc6A" } ], "repeated": 0, "id": 11002 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d0ff5", "parentcaller": "0x7ff6c28d6f07", "category": "device", "api": "NtPowerInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "InformationLevel", "value": "59" }, { "name": "InputBuffer", "value": "Y\\x9a>]\\xd5\\xe9\\x00K\\xa6\\xbd\\xff4\\xffQeH" }, { "name": "OutputBuffer", "value": "$\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11003 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11004 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2541" }, { "name": "FunctionAddress", "value": "0x7ffc762d4230" } ], "repeated": 0, "id": 11005 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11006 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11007 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "PostMessageW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762c1110" } ], "repeated": 0, "id": 11008 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11009 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000f03ec" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 11010 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "user32" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 11011 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "587" }, { "name": "y", "value": "111" } ], "repeated": 0, "id": 11012 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11013 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "2613" }, { "name": "FunctionAddress", "value": "0x7ffc762c3de0" } ], "repeated": 0, "id": 11014 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc72ad0000" }, { "name": "ModuleName", "value": "CoreMessaging.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11015 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 11016 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8588", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11017 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8588", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x2924e274d80" } ], "repeated": 0, "id": 11018 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8592", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11019 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8592", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x2924e270540" } ], "repeated": 0, "id": 11020 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8592", "caller": "0x7ff6c28b18ae", "parentcaller": "0x7ff6c28b376e", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224003" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "t\\x08\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11021 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8592", "caller": "0x7ff6c28b192d", "parentcaller": "0x7ff6c28b376e", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x00*\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xfc\\x7f\\x00\\x00t\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x98\\xc2\\xf6\\x7f\\x00\\x00\\xc0x\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 11022 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8592", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28b19d9", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "t\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 11023 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8592", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28b19d9", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "t\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x02\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00@\\x00R\\x00<\\x00O\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00j\\xc0a\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00v\\xddA\\x01\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x02\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x11\\x00.\\x00\\x10\\x00-\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00h\\xb6:\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x000\\x00,\\x00_\\x00T\\x00o\\x00t\\x00a\\x00l\\x00\\x00\\x00\\x17\\x00.\\x00\\x16\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00i;\\xce\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x9c\\xe4\\xa6\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 11024 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8596", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11025 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8596", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28de0d0" }, { "name": "Parameter", "value": "0x2924e2825e0" } ], "repeated": 0, "id": 11026 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11027 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28ded40" }, { "name": "Parameter", "value": "0x2924e26cb30" } ], "repeated": 0, "id": 11028 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e18b7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11029 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e18b7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11030 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SYSTEM\\CurrentControlSet\\Control\\DevQuery" }, { "name": "Handle", "value": "0x00000880" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DevQuery" } ], "repeated": 0, "id": 11031 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "11" }, { "name": "MaxSubKeyLength", "value": "2" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 11032 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11033 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11034 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11035 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\IdType" } ], "repeated": 0, "id": 11036 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11037 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11038 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11039 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "String" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\IdType" } ], "repeated": 0, "id": 11040 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11041 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11042 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11043 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\Transport" } ], "repeated": 0, "id": 11044 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11045 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11046 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11047 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "IOCTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\Transport" } ], "repeated": 0, "id": 11048 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11049 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11050 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11051 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\QueryFile" } ], "repeated": 0, "id": 11052 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11053 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11054 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11055 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\QueryFile" } ], "repeated": 0, "id": 11056 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11057 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11058 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11059 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\NoStateFile" } ], "repeated": 0, "id": 11060 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11061 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11062 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "1" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1" } ], "repeated": 0, "id": 11063 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\NoState" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\NoStateFile" } ], "repeated": 0, "id": 11064 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11065 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "10" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10" } ], "repeated": 0, "id": 11066 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11067 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "10" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10" } ], "repeated": 0, "id": 11068 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\IdType" } ], "repeated": 0, "id": 11069 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11070 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11071 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "10" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10" } ], "repeated": 0, "id": 11072 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "String" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\IdType" } ], "repeated": 0, "id": 11073 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11074 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11075 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "10" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10" } ], "repeated": 0, "id": 11076 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\Transport" } ], "repeated": 0, "id": 11077 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11078 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11079 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "10" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10" } ], "repeated": 0, "id": 11080 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "LRPC" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\Transport" } ], "repeated": 0, "id": 11081 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11082 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11083 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "10" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10" } ], "repeated": 0, "id": 11084 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "UUID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\UUID" } ], "repeated": 0, "id": 11085 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11086 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11087 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "10" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10" } ], "repeated": 0, "id": 11088 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "UUID" }, { "name": "Data", "value": "289e5e0f-414a-4de9-8d17-244507fffc07" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\UUID" } ], "repeated": 0, "id": 11089 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11090 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "11" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11091 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11092 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11093 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\IdType" } ], "repeated": 0, "id": 11094 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11095 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11096 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11097 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "String" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\IdType" } ], "repeated": 0, "id": 11098 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11099 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11100 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11101 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\Transport" } ], "repeated": 0, "id": 11102 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11103 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11104 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11105 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "IOCTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\Transport" } ], "repeated": 0, "id": 11106 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11107 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11108 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11109 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\QueryFile" } ], "repeated": 0, "id": 11110 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11111 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11112 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11113 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\QueryFile" } ], "repeated": 0, "id": 11114 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11115 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11116 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11117 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\NoStateFile" } ], "repeated": 0, "id": 11118 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11119 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11120 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "11" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11" } ], "repeated": 0, "id": 11121 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\NoState" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\NoStateFile" } ], "repeated": 0, "id": 11122 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11123 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "3" }, { "name": "Name", "value": "2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11124 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11125 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11126 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\IdType" } ], "repeated": 0, "id": 11127 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11128 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11129 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11130 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff6c28d8ef0" }, { "name": "Parameter", "value": "0x2924e26cb30" } ], "repeated": 0, "id": 11131 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11132 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "Uuid" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\IdType" } ], "repeated": 0, "id": 11133 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11134 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11135 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28b1a57", "parentcaller": "0x7ff6c28d9055", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224003" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11136 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\Transport" } ], "repeated": 0, "id": 11137 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28b1ad9", "parentcaller": "0x7ff6c28d9055", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\xf7*\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xfc\\x7f\\x00\\x00\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x98\\xc2\\xf6\\x7f\\x00\\x00\\xc0x\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 11138 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11139 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11140 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11141 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "IOCTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\Transport" } ], "repeated": 0, "id": 11142 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11143 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11144 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11145 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\QueryFile" } ], "repeated": 0, "id": 11146 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11147 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11148 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11149 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\QueryFile" } ], "repeated": 0, "id": 11150 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11151 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11152 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11153 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\NoStateFile" } ], "repeated": 0, "id": 11154 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11155 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11156 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "2" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2" } ], "repeated": 0, "id": 11157 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\NoState" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\NoStateFile" } ], "repeated": 0, "id": 11158 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11159 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "4" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11160 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11161 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11162 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\IdType" } ], "repeated": 0, "id": 11163 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11164 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11165 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11166 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 11167 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "String" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\IdType" } ], "repeated": 0, "id": 11168 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11169 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11170 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11171 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28b1b85", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 11172 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\Transport" } ], "repeated": 0, "id": 11173 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11174 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28b1b85", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc9\\x7f\\xc0}\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xb2\\xed\\x90\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x0bD\\xc2\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xb2\\xed\\x90\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xe1\\x847\\x1b\\x12\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xcc\\xecA\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00@\\xc9\\xb4}\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11175 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11176 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28ff776", "parentcaller": "0x7ff6c28d9055", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224003" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x8c\\x08\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11177 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11178 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "IOCTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\Transport" } ], "repeated": 0, "id": 11179 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11180 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 11181 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11182 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "IPHLPAPI.DLL" } ], "repeated": 0, "id": 11183 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11184 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\QueryFile" } ], "repeated": 0, "id": 11185 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11186 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11187 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11188 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\QueryFile" } ], "repeated": 0, "id": 11189 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11190 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11191 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\IPHLPAPI.DLL" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11192 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11193 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "3" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3" } ], "repeated": 0, "id": 11194 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\NoState" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\NoStateFile" } ], "repeated": 0, "id": 11195 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11196 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000894" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000890" }, { "name": "FileName", "value": "C:\\Windows\\System32\\IPHLPAPI.DLL" } ], "repeated": 0, "id": 11197 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11198 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11199 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000894" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74a70000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0003b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11200 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4" } ], "repeated": 0, "id": 11201 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "Uuid" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\IdType" } ], "repeated": 0, "id": 11202 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11203 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74aa8000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11204 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11205 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74a9a000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11206 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4" } ], "repeated": 0, "id": 11207 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74a9a000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11208 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11209 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74a9a000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11210 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11211 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74a9a000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11212 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4" } ], "repeated": 0, "id": 11213 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000894" } ], "repeated": 0, "id": 11214 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11215 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "IOCTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\Transport" } ], "repeated": 0, "id": 11216 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11217 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11218 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74a9a000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11219 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4" } ], "repeated": 0, "id": 11220 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\IPHLPAPI" }, { "name": "DllBase", "value": "0x7ffc74a70000" } ], "repeated": 0, "id": 11221 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\QueryFile" } ], "repeated": 0, "id": 11222 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11223 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11224 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4" } ], "repeated": 0, "id": 11225 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11226 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\QueryFile" } ], "repeated": 0, "id": 11227 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11228 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11229 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4" } ], "repeated": 0, "id": 11230 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\NoStateFile" } ], "repeated": 0, "id": 11231 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11232 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11233 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000884" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "4" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4" } ], "repeated": 0, "id": 11234 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\NoState" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\NoStateFile" } ], "repeated": 0, "id": 11235 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000884" } ], "repeated": 0, "id": 11236 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "6" }, { "name": "Name", "value": "5" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5" } ], "repeated": 0, "id": 11237 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11238 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "5" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5" } ], "repeated": 0, "id": 11239 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\IdType" } ], "repeated": 0, "id": 11240 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11241 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11242 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "5" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5" } ], "repeated": 0, "id": 11243 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "String" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\IdType" } ], "repeated": 0, "id": 11244 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11245 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11246 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "5" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5" } ], "repeated": 0, "id": 11247 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\Transport" } ], "repeated": 0, "id": 11248 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11249 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11250 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "5" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5" } ], "repeated": 0, "id": 11251 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "LRPC" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\Transport" } ], "repeated": 0, "id": 11252 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11253 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11254 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "5" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5" } ], "repeated": 0, "id": 11255 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "UUID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\UUID" } ], "repeated": 0, "id": 11256 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11257 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11258 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "5" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5" } ], "repeated": 0, "id": 11259 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "UUID" }, { "name": "Data", "value": "289e5e0f-414a-4de9-8d17-244507fffc07" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\UUID" } ], "repeated": 0, "id": 11260 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11261 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "7" }, { "name": "Name", "value": "6" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6" } ], "repeated": 0, "id": 11262 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11263 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "6" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6" } ], "repeated": 0, "id": 11264 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\IdType" } ], "repeated": 0, "id": 11265 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11266 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11267 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "6" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6" } ], "repeated": 0, "id": 11268 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "Uuid" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\IdType" } ], "repeated": 0, "id": 11269 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11270 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11271 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "6" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6" } ], "repeated": 0, "id": 11272 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\Transport" } ], "repeated": 0, "id": 11273 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11274 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11275 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "6" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6" } ], "repeated": 0, "id": 11276 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "LRPC" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\Transport" } ], "repeated": 0, "id": 11277 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11278 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11279 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "6" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6" } ], "repeated": 0, "id": 11280 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "UUID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\UUID" } ], "repeated": 0, "id": 11281 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11282 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11283 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "6" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6" } ], "repeated": 0, "id": 11284 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11285 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "UUID" }, { "name": "Data", "value": "289e5e0f-414a-4de9-8d17-244507fffc07" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\UUID" } ], "repeated": 0, "id": 11286 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11287 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "8" }, { "name": "Name", "value": "7" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11288 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11289 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11290 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\IdType" } ], "repeated": 0, "id": 11291 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11292 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11293 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11294 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "Uuid" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\IdType" } ], "repeated": 0, "id": 11295 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11296 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11297 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11298 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\Transport" } ], "repeated": 0, "id": 11299 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11300 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11301 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11302 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "IOCTL" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\Transport" } ], "repeated": 0, "id": 11303 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11304 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11305 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11306 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\QueryFile" } ], "repeated": 0, "id": 11307 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11308 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11309 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11310 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11311 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "QueryFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\QueryFile" } ], "repeated": 0, "id": 11312 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11313 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11314 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11315 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11316 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\NoStateFile" } ], "repeated": 0, "id": 11317 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11318 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11319 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "7" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7" } ], "repeated": 0, "id": 11320 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11321 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "NoStateFile" }, { "name": "Data", "value": "\\Device\\DeviceApi\\Dev\\NoState" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\NoStateFile" } ], "repeated": 0, "id": 11322 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11323 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "9" }, { "name": "Name", "value": "8" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11324 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11325 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11326 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "8" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11327 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "Data", "value": "String" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\IdType" } ], "repeated": 0, "id": 11328 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11329 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11330 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "8" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11331 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11332 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\Transport" } ], "repeated": 0, "id": 11333 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11334 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11335 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "8" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11336 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "InProc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\Transport" } ], "repeated": 0, "id": 11337 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11338 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11339 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "8" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11340 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "DllName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DllName" } ], "repeated": 0, "id": 11341 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11342 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11343 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11344 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "8" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11345 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11346 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11347 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "8" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11348 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "DevQueryEntry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DevQueryEntry" } ], "repeated": 0, "id": 11349 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11350 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11351 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "8" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8" } ], "repeated": 0, "id": 11352 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11353 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "DevQueryEntry" }, { "name": "Data", "value": "DevQueryEntry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DevQueryEntry" } ], "repeated": 0, "id": 11354 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11355 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" }, { "name": "Index", "value": "10" }, { "name": "Name", "value": "9" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9" } ], "repeated": 0, "id": 11356 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11357 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "9" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9" } ], "repeated": 0, "id": 11358 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "IdType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\IdType" } ], "repeated": 0, "id": 11359 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11360 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11361 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11362 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00,\\x00\\x00\\x00,\\x08\\x06\\x00\\x00\\x00\\x1e\\x84Z\\x01" }, { "name": "Length", "value": "17" } ], "repeated": 0, "id": 11363 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11364 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "9" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9" } ], "repeated": 0, "id": 11365 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\Transport" } ], "repeated": 0, "id": 11366 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11367 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11368 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11369 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "9" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9" } ], "repeated": 0, "id": 11370 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "Transport" }, { "name": "Data", "value": "InProc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\Transport" } ], "repeated": 0, "id": 11371 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11372 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11373 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "9" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9" } ], "repeated": 0, "id": 11374 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11375 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "DllName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DllName" } ], "repeated": 0, "id": 11376 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11377 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11378 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "9" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9" } ], "repeated": 0, "id": 11379 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11380 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "DllName" }, { "name": "Data", "value": "C:\\Windows\\System32\\DevDispItemProvider.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DllName" } ], "repeated": 0, "id": 11381 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11382 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x9aIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11383 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "DevQueryEntry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DevQueryEntry" } ], "repeated": 0, "id": 11384 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11385 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000880" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 11386 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000890" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000880" }, { "name": "ObjectAttributesName", "value": "9" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9" } ], "repeated": 0, "id": 11387 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" }, { "name": "ValueName", "value": "DevQueryEntry" }, { "name": "Data", "value": "DevQueryEntry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DevQueryEntry" } ], "repeated": 0, "id": 11388 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11389 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" } ], "repeated": 0, "id": 11390 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f9b000" }, { "name": "ModuleName", "value": "cfgmgr32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11391 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f9b000" }, { "name": "ModuleName", "value": "cfgmgr32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11392 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11393 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000890" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 11394 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000894" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11395 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "8600", "caller": "0x7ff6c28d1b88", "parentcaller": "0x7ff6c28ded9b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000894" }, { "name": "HandleName", "value": "\\Device\\DeviceApi" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98a\"T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 11396 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11397 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x9aIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11398 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1004", "caller": "0x7ffc76045921", "parentcaller": "0x7ffc75f5657b", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000894" }, { "name": "IoControlCode", "value": "0x00470007" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 11399 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ffc76045921", "parentcaller": "0x7ffc75f5657b", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x00000894" }, { "name": "IoControlCode", "value": "0x00470008" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 11400 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d279f", "parentcaller": "0x7ff6c28d1845", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000089c" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\SCSI#Disk&Ven_SAMSUNG&Prod_MZ76E120#4&35424867&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11401 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2808", "parentcaller": "0x7ff6c28d1845", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x002d0c14" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11402 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d28e3", "parentcaller": "0x7ff6c28d2836", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x002d1400", "pretty_value": "IOCTL_STORAGE_QUERY_PROPERTY" }, { "name": "InBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "(\\x00\\x00\\x00\\x8c\\x01\\x00\\x00" } ], "repeated": 0, "id": 11403 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2957", "parentcaller": "0x7ff6c28d2836", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x002d1400", "pretty_value": "IOCTL_STORAGE_QUERY_PROPERTY" }, { "name": "InBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "(\\x00\\x00\\x00\\x8c\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00(\\x00\\x00\\x00Q\\x00\\x00\\x00Z\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00SAMSUNG MZ76E120\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x002.5+\\x00\\x00\\x00\\x00\\x00QM00001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11404 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d29dd", "parentcaller": "0x7ff6c28d2836", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x002d1400", "pretty_value": "IOCTL_STORAGE_QUERY_PROPERTY" }, { "name": "InBuffer", "value": "\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!Y\\x04v\\xfc\\x7f\\x00\\x00\\xa3\\x9f\\xa2\tZ\\xd7\\x00\\x00\\x9c\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xf5\\xd7\\x9d\\xf0\\x00\\x00\\x00\\xd0\\x9f\\x84T\\x92\\x02\\x00\\x00 \\xf9\\x95T\\x92\\x02\\x00\\x00 \\xf9\\x95T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00HQ\\x1cT\\x92\\x02\\x00\\x006(\\x8d\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00HQ\\x1cT\\x92\\x02\\x00\\x00 \\xf9\\x95T\\x92\\x02\\x00\\x00@\\xf5\\xd7\\x9d\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x80\\xf5\\xd7\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x9f\\x84T\\x92\\x02\\x00\\x00\\x80M'N\\x92\\x02\\x00\\x00 \\xf9\\x95T\\x92\\x02\\x00\\x000\\xf9\\x95T\\x92\\x02\\x00\\x00E\\x18\\x8d\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00Z\\xd7\\x00\\x00\\x00\\x00\\xb63\\xfc\\x7f\\x00\\x00\\x08\\x00G\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11405 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d271e", "parentcaller": "0x7ff6c28d1855", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x002d1080", "pretty_value": "IOCTL_STORAGE_GET_DEVICE_NUMBER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11406 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2082", "parentcaller": "0x7ff6c28d1879", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11407 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11408 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2082", "parentcaller": "0x7ff6c28d1879", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x006d0008", "pretty_value": "IOCTL_MOUNTMGR_QUERY_POINTS" }, { "name": "InBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\xe6\\x03\\x00\\x00\\x06\\x00\\x00\\x00" } ], "repeated": 0, "id": 11409 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2082", "parentcaller": "0x7ff6c28d1879", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x006d0008", "pretty_value": "IOCTL_MOUNTMGR_QUERY_POINTS" }, { "name": "InBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\xe6\\x03\\x00\\x00\\x06\\x00\\x00\\x00\\xd2\\x00\\x00\\x00`\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xa4\\x00\\x00\\x00.\\x00\\x00\\x00l\\x01\\x00\\x00\\x1c\\x00\\x00\\x002\\x01\\x00\\x00\\x0c\\x00\\x00\\x00>\\x01\\x00\\x00.\\x00\\x00\\x00\\x88\\x01\\x00\\x00`\\x00\\x00\\x002\\x01\\x00\\x00\\x0c\\x00\\x00\\x00>\\x01\\x00\\x00.\\x00\\x00\\x00\"\\x02\\x00\\x00`\\x00\\x00\\x00\\xe8\\x01\\x00\\x00\\x0c\\x00\\x00\\x00\\xf4\\x01\\x00\\x00.\\x00\\x00\\x00j\\x03\\x00\\x00\\x1c\\x00\\x00\\x00\\x82\\x02\\x00\\x00\\xcc\\x00\\x00\\x00N\\x03\\x00\\x00\\x1c\\x00\\x00\\x00\\x86\\x03\\x00\\x00`\\x00\\x00\\x00\\x82\\x02\\x00\\x00\\xcc\\x00\\x00\\x00N\\x03\\x00\\x00\\x1c\\x00\\x00\\x00/\\x10\\x8cR\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\\\x00D\\x00e\\x00v\\x00i\\x00c\\x00e\\x00\\\\x00H\\x00a\\x00r\\x00d\\x00d\\x00i\\x00s\\x00k\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x001\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 11410 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2082", "parentcaller": "0x7ff6c28d1879", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a0" } ], "repeated": 0, "id": 11411 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2114", "parentcaller": "0x7ff6c28d1879", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\Volume{528c102f-0000-0000-0000-100000000000}" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11412 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2299", "parentcaller": "0x7ff6c28d2160", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00560060" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00" } ], "repeated": 0, "id": 11413 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00560000", "pretty_value": "IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x03\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11414 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11415 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a4" } ], "repeated": 0, "id": 11416 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11417 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\MountPointManager" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InputBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11418 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11419 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a4" } ], "repeated": 0, "id": 11420 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x01\\x9aIDATx\\xda\\xec\\x981N\\xc40\\x10E7\\x08\tQ\\xd1\\xd2\\xa5\\xe6\\x06\\x14.h8\\xc1\\x16i(8\\x82\\x0fD\\xc1\\x05V>\\x00\r7HICC\\x05]D\\xb3\\x80V\\xb2\\x99H\\x13idH2\\xd9\\x8c\\xd7\\x0ex\\xa4/K^\\xfb\\xfb9\\xeb\\xd8\\xe3\\x14\\xce\\xb9\\xd5\\x92\\xe2h\\xb5\\xb0\\xc8\\xc0\\x198\\x03\\xf7\\x87\\x02\\x19P\\x03\\xb2 \\x87\\xb2Xg\\xb0\\xcd\\xb4h\\xb75a\\x95\\xa0\\xda\\xf1\\xa3\\xc6>,\\x7fi\\xd8\n\\xb4#0\r\\xe8\\x0e\\xa4H\\x1b\\x85u\ri\\xb7\\xc3\\xbe\\x07\\x05n\\x07\\xb4\\x04@3\\xfah2A\\xcb\\x81\\x96\\\\x06\\xdd\\xc0\\xdb)\\x7f1\\xb6\\xdd\\x92\\x89\\x96\\x87\\x00\\xae\\xb9\\x032&\\\\x87\\x06Vd-\\xea\\x19>\\x9a\\xf8\\xa8\\x90\\xc0\\x86\\xbc`s\\xbd\\xba\\x17\\xd1\\xf4\\xb5\\x91\\xd8\\x87\\xaf\\xb0\\xdc\\x08xm<\\xcf \\x07\\xc7\\x19\\x96\\xf7\\x02^\\x0f\\x9e\\xe7\\x8f(\\x04\\xf2\\xe1\\xce\\xa0\\x10:!\\x07\\xfd\\xfee.\\xe1H\\xee07*\\xcf3\\x08\\xf0;\\x96\\xb7\\x02^\\xd7\\x9eg\\x10\\xe0" }, { "name": "Length", "value": "430" } ], "repeated": 0, "id": 11421 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2611", "parentcaller": "0x7ff6c28d22b3", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00560000", "pretty_value": "IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x03\\x00\\x00\\x00\\x00\\x00<\\x83\\xda\\x0e\\x00\\x00\\x00" } ], "repeated": 0, "id": 11422 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11423 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28b3747", "parentcaller": "0x7ff6c28ba5eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 11424 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 11425 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11426 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a4" } ], "repeated": 0, "id": 11427 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11428 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 11429 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11430 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a4" } ], "repeated": 0, "id": 11431 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2172", "parentcaller": "0x7ff6c28d1879", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a0" } ], "repeated": 0, "id": 11432 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2114", "parentcaller": "0x7ff6c28d1879", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\Volume{528c102f-0000-0000-0000-c0dd0e000000}" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11433 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2299", "parentcaller": "0x7ff6c28d2160", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00560060" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00" } ], "repeated": 0, "id": 11434 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2611", "parentcaller": "0x7ff6c28d22b3", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00560000", "pretty_value": "IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xdd\\x0e\\x00\\x00\\x00\\x00\\x00 \"\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11435 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11436 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x00c\\x000\\x00d\\x00d\\x000\\x00e\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11437 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d23c4", "parentcaller": "0x7ff6c28d2314", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a4" } ], "repeated": 0, "id": 11438 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11439 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a4" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x00c\\x000\\x00d\\x00d\\x000\\x00e\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11440 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2450", "parentcaller": "0x7ff6c28d2314", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a4" } ], "repeated": 0, "id": 11441 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2172", "parentcaller": "0x7ff6c28d1879", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a0" } ], "repeated": 0, "id": 11442 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "1276", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\smalllogo.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11443 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2114", "parentcaller": "0x7ff6c28d1879", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a0" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\Volume{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11444 }, { "timestamp": "2026-05-28 22:01:58,334", "thread_id": "2700", "caller": "0x7ff6c28d2299", "parentcaller": "0x7ff6c28d2160", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00560060" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 11445 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d2611", "parentcaller": "0x7ff6c28d22b3", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00560000", "pretty_value": "IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 11446 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d2172", "parentcaller": "0x7ff6c28d1879", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a0" } ], "repeated": 0, "id": 11447 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d1fce", "parentcaller": "0x7ff6c28d18ac", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x000700a0", "pretty_value": "IOCTL_DISK_GET_DRIVE_GEOMETRY_EX" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x98\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xff\\x00\\x00\\x00?\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11448 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11449 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d1cf6", "parentcaller": "0x7ff6c28d18c4", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a0" }, { "name": "DesiredAccess", "value": "0x80100000", "pretty_value": "GENERIC_READ|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11450 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11451 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d1cf6", "parentcaller": "0x7ff6c28d18c4", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00470000" }, { "name": "InBuffer", "value": "\\x01\\x10\\x08\\x00\\xcc\\xcc\\xcc\\xccX\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xcaN`\\x1d\\xec\\xee\\x00\\x00\\xa7c`\\x1d\\xec\\xee\\xdc\\x01\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\\x00\\x02\\x00\\x04\\x00\\x00\\x00\n\\x00\\x00\\x00\\x08\\x00\\x02\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00C\\x00S\\x00I\\x00#\\x00D\\x00i\\x00s\\x00k\\x00&\\x00V\\x00e\\x00n\\x00_\\x00S\\x00A\\x00M\\x00S\\x00U\\x00N\\x00G\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00M\\x00Z\\x007\\x006\\x00E\\x001\\x002\\x000\\x00#\\x004\\x00&\\x003\\x005\\x004\\x002\\x004\\x008\\x006\\x007\\x00&\\x000\\x00&\\x000\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x007\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x00" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10@\\x00\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc3\\x05qq\\xba\\xbe7I\\x83\\x19\\xb5\\xdb\\xef\\x9c\\xcc6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00C\\x00S\\x00I\\x00#\\x00D\\x00i\\x00s\\x00k\\x00&\\x00V\\x00e\\x00n\\x00_\\x00S\\x00A\\x00M\\x00S\\x00U\\x00N\\x00G\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00M\\x00Z\\x007\\x006\\x00E\\x001\\x002\\x000\\x00#\\x00" } ], "repeated": 0, "id": 11452 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d1cf6", "parentcaller": "0x7ff6c28d18c4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a0" } ], "repeated": 0, "id": 11453 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11454 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d1ddb", "parentcaller": "0x7ff6c28d18c4", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a0" }, { "name": "DesiredAccess", "value": "0x80100000", "pretty_value": "GENERIC_READ|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\DeviceApi\\Dev\\Query" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11455 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11456 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d1ddb", "parentcaller": "0x7ff6c28d18c4", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008a0" }, { "name": "IoControlCode", "value": "0x00470000" }, { "name": "InBuffer", "value": "\\x01\\x10\\x08\\x00\\xcc\\xcc\\xcc\\xcc\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\xcaN`\\x1d\\xec\\xee\\x00\\x00\\xa7c`\\x1d\\xec\\xee\\xdc\\x01\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\\x00\\x02\\x00\\x04\\x00\\x00\\x00\n\\x00\\x00\\x00\\x08\\x00\\x02\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00\\x00\\x00S\\x00C\\x00S\\x00I\\x00\\\\x00D\\x00i\\x00s\\x00k\\x00&\\x00V\\x00e\\x00n\\x00_\\x00S\\x00A\\x00M\\x00S\\x00U\\x00N\\x00G\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00M\\x00Z\\x007\\x006\\x00E\\x001\\x002\\x000\\x00\\\\x004\\x00&\\x003\\x005\\x004\\x002\\x004\\x008\\x006\\x007\\x00&\\x000\\x00&\\x000\\x000\\x000\\x000\\x000\\x000\\x00\\x00\\x00\n\\x00\\x00\\x00e\\x00n\\x00-\\x00U\\x00S\\x00\\x00\\x00e\\x00n\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xf1%\\xb7\\xefG\\x1a\\x10\\xa5\\xf1\\x02`\\x8c\\x9e\\xeb\\xac" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x10@\\x00\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc\\xcc3\\x05qq\\xba\\xbe7I\\x83\\x19\\xb5\\xdb\\xef\\x9c\\xcc6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x008\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00\\x00\\x00\\x00\\x00\\x00\\x00S\\x00C\\x00S\\x00I\\x00\\\\x00D\\x00i\\x00s\\x00k\\x00&\\x00V\\x00e\\x00n\\x00_\\x00S\\x00A\\x00M\\x00S\\x00U\\x00N\\x00G\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00M\\x00Z\\x007\\x006\\x00E\\x001\\x002\\x000\\x00\\\\x004\\x00&\\x003\\x005\\x00" } ], "repeated": 0, "id": 11457 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ff6c28d1ddb", "parentcaller": "0x7ff6c28d18c4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a0" } ], "repeated": 0, "id": 11458 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 12, "id": 11459 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11460 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 11461 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11462 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 11463 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11464 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 11465 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\IPHLPAPI" }, { "name": "BaseAddress", "value": "0x7ffc74a70000" }, { "name": "InitRoutine", "value": "0x7ffc74a7a620" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 11466 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11467 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11468 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e113d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11469 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11470 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 11471 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WINNSI.DLL" } ], "repeated": 0, "id": 11472 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\winnsi.dll" } ], "repeated": 0, "id": 11473 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11474 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winnsi.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 11475 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000898" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000008a0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\winnsi.dll" } ], "repeated": 0, "id": 11476 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000898" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e0e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11477 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e0e4000" }, { "name": "ModuleName", "value": "WINNSI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11478 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e0e4000" }, { "name": "ModuleName", "value": "WINNSI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11479 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e0e4000" }, { "name": "ModuleName", "value": "WINNSI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11480 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e0e4000" }, { "name": "ModuleName", "value": "WINNSI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11481 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e0e4000" }, { "name": "ModuleName", "value": "WINNSI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11482 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000898" } ], "repeated": 0, "id": 11483 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a0" } ], "repeated": 0, "id": 11484 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": ")\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11485 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WINNSI" }, { "name": "DllBase", "value": "0x7ffc6e0e0000" } ], "repeated": 0, "id": 11486 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": ")\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11487 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x0b\\x13\\x00\\x00\\x0b\\x13\\x01\\x00\\x9a\\x9c\\x18" }, { "name": "Length", "value": "13" } ], "repeated": 0, "id": 11488 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 11489 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00fIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11490 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 11491 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00fIDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 11492 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11493 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\winnsi" }, { "name": "BaseAddress", "value": "0x7ffc6e0e0000" }, { "name": "InitRoutine", "value": "0x7ffc6e0e1f70" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 11494 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74aa8000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11495 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74aa8000" }, { "name": "ModuleName", "value": "IPHLPAPI.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11496 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11497 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000898" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 11498 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "6\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11499 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\Nsi" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11500 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000818" }, { "name": "HandleName", "value": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00fIDAT8\\xcb\\xc5\\x93Q\n\\xc00\\x08CM\\xf1`;\\xfan\\x96\\xfd\\xe8h\\xc7Z\\xb4\\xc2\\xe6O\\x83\\xd0\\xe4\\x89\\x08\\x92R\\xa9&\\xc5R{\\xa3\\x18g\\xa7\\x0f\\x11\\x01l\\x84\\xdd9\\xa0\\xb7\\x02\\x90\\xf9IK\\xd6\\xb7\\xe6\\x10\\x01\\xc0\\xfb\\xae\\xfb0\rq.\\xe8Z\\x14\\x97\\x93}\\xa7\t\\x9e4\\xdf\\x13,\r\\xb2\\xab\\x1c\\x0c\\xb8y\\x14n\\x80\\xdf\\x8e\\xa9lp\\x01\\x93\\x9c-,\\xb2\\x1eQ\\xec\\x00\\x00\\x00\\x00IEND" }, { "name": "Length", "value": "122" } ], "repeated": 0, "id": 11501 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00XN\\x0en\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xf4O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00XN\\x0en\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xf4O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11502 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1276", "caller": "0x7ff6c28b3747", "parentcaller": "0x7ff6c28ba5eb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000818" } ], "repeated": 0, "id": 11503 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a8" } ], "repeated": 0, "id": 11504 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "2700", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11505 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8600", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770fe41e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000890" } ], "repeated": 0, "id": 11506 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8600", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770fe4e4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000880" } ], "repeated": 0, "id": 11507 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "708" }, { "name": "y", "value": "355" } ], "repeated": 0, "id": 11508 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8600", "caller": "0x7ffc7802469e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 11509 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a8" } ], "repeated": 0, "id": 11510 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00XN\\x0en\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xf4O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00XN\\x0en\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xf4O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 11511 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a8" } ], "repeated": 0, "id": 11512 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "693" }, { "name": "y", "value": "361" } ], "repeated": 0, "id": 11513 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 11514 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28df3eb", "parentcaller": "0x7ff6c28d9055", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008a8" } ], "repeated": 0, "id": 11515 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1277", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11516 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1277", "parentcaller": "0x7ff6c28d9055", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11517 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008d8" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 11518 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 11519 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000008e4" }, { "name": "MutexName", "value": "Installing" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 11520 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008e8" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib" } ], "repeated": 0, "id": 11521 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008e8" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9884" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Counter" } ], "repeated": 0, "id": 11522 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008e8" }, { "name": "ValueName", "value": "Last Help" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9885" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Help" } ], "repeated": 0, "id": 11523 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008e8" }, { "name": "ObjectAttributesName", "value": "_V2Providers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers" } ], "repeated": 0, "id": 11524 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11525 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{16fa106f-26c3-42a5-982b-400779ea8970}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}" } ], "repeated": 0, "id": 11526 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderType" } ], "repeated": 0, "id": 11527 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderName" } ], "repeated": 0, "id": 11528 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "DdmCounterProvider" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderName" } ], "repeated": 0, "id": 11529 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ApplicationIdentity" } ], "repeated": 0, "id": 11530 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\mprddm.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ApplicationIdentity" } ], "repeated": 0, "id": 11531 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11532 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}" } ], "repeated": 0, "id": 11533 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\InstanceType" } ], "repeated": 0, "id": 11534 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\NameResource" } ], "repeated": 0, "id": 11535 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\ExplainResource" } ], "repeated": 0, "id": 11536 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4776" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\First Counter" } ], "repeated": 0, "id": 11537 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4786" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\Last Counter" } ], "repeated": 0, "id": 11538 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterBlock" } ], "repeated": 0, "id": 11539 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00k\\x00\\x00\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00o\\x00\\x00\\x00m\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00s\\x00\\x00\\x00q\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00w\\x00\\x00\\x00u\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00{\\x00\\x00\\x00y\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterBlock" } ], "repeated": 0, "id": 11540 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterCount" } ], "repeated": 0, "id": 11541 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11542 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11543 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11544 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11545 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}" } ], "repeated": 0, "id": 11546 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderType" } ], "repeated": 0, "id": 11547 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderName" } ], "repeated": 0, "id": 11548 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "VidPerfProvider" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderName" } ], "repeated": 0, "id": 11549 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ApplicationIdentity" } ], "repeated": 0, "id": 11550 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "vid.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ApplicationIdentity" } ], "repeated": 0, "id": 11551 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11552 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{d049a97f-9f42-4c11-ad73-5d8c68b30258}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}" } ], "repeated": 0, "id": 11553 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\InstanceType" } ], "repeated": 0, "id": 11554 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "30028" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\NameResource" } ], "repeated": 0, "id": 11555 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "30030" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\ExplainResource" } ], "repeated": 0, "id": 11556 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1914" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\First Counter" } ], "repeated": 0, "id": 11557 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2910" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\Last Counter" } ], "repeated": 0, "id": 11558 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterBlock" } ], "repeated": 0, "id": 11559 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x10\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8cu\\x00\\x00\\x8eu\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08v\\x00\\x00\nv\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x001\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10v\\x00\\x00\\x12v\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x002\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\xfe\\x00\\x00`\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00^\\xfe\\x00\\x00\\\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\xfe\\x00\\x00X\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x005\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xfe\\x00\\x00T\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x006\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\xfe\\x00\\x00P\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x007\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00N\\xfe\\x00\\x00L\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x008\\x00\\x00\\x00\\x00\\x01\\x01\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterBlock" } ], "repeated": 0, "id": 11560 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "498" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterCount" } ], "repeated": 0, "id": 11561 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11562 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11563 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11564 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 11565 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}" } ], "repeated": 0, "id": 11566 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderType" } ], "repeated": 0, "id": 11567 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderName" } ], "repeated": 0, "id": 11568 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ApplicationIdentity" } ], "repeated": 0, "id": 11569 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "WsmRes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ApplicationIdentity" } ], "repeated": 0, "id": 11570 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11571 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{8a922684-7993-4b38-9929-b7366f01ec4a}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}" } ], "repeated": 0, "id": 11572 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\InstanceType" } ], "repeated": 0, "id": 11573 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\NameResource" } ], "repeated": 0, "id": 11574 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\ExplainResource" } ], "repeated": 0, "id": 11575 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3432" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\First Counter" } ], "repeated": 0, "id": 11576 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3446" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\Last Counter" } ], "repeated": 0, "id": 11577 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterBlock" } ], "repeated": 0, "id": 11578 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterBlock" } ], "repeated": 0, "id": 11579 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterCount" } ], "repeated": 0, "id": 11580 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11581 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11582 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11583 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 11584 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{2538387c-08b7-44b8-86d3-47f59cf6d056}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}" } ], "repeated": 0, "id": 11585 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderType" } ], "repeated": 0, "id": 11586 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderName" } ], "repeated": 0, "id": 11587 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PeerDistSvc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderName" } ], "repeated": 0, "id": 11588 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ApplicationIdentity" } ], "repeated": 0, "id": 11589 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "PeerDistSvc.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ApplicationIdentity" } ], "repeated": 0, "id": 11590 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11591 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{2538387c-08b7-44b8-86d3-47f59cf6d057}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}" } ], "repeated": 0, "id": 11592 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\InstanceType" } ], "repeated": 0, "id": 11593 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\NameResource" } ], "repeated": 0, "id": 11594 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\ExplainResource" } ], "repeated": 0, "id": 11595 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\First Counter" } ], "repeated": 0, "id": 11596 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9614" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\Last Counter" } ], "repeated": 0, "id": 11597 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterBlock" } ], "repeated": 0, "id": 11598 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x01\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x01\\x01\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterBlock" } ], "repeated": 0, "id": 11599 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "23" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterCount" } ], "repeated": 0, "id": 11600 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11601 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11602 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11603 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 11604 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}" } ], "repeated": 0, "id": 11605 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderType" } ], "repeated": 0, "id": 11606 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderName" } ], "repeated": 0, "id": 11607 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ApplicationIdentity" } ], "repeated": 0, "id": 11608 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\System32\\wevtsvc.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ApplicationIdentity" } ], "repeated": 0, "id": 11609 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11610 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{d11168c5-9f29-43bc-9269-0548637a62b0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}" } ], "repeated": 0, "id": 11611 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\InstanceType" } ], "repeated": 0, "id": 11612 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "102" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\NameResource" } ], "repeated": 0, "id": 11613 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\ExplainResource" } ], "repeated": 0, "id": 11614 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4006" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\First Counter" } ], "repeated": 0, "id": 11615 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4018" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\Last Counter" } ], "repeated": 0, "id": 11616 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterBlock" } ], "repeated": 0, "id": 11617 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x00\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00n\\x00\\x00\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00\\x00\\x00x\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00r\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00v\\x00\\x00\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\x00\\x00\\x00|\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterBlock" } ], "repeated": 0, "id": 11618 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterCount" } ], "repeated": 0, "id": 11619 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11620 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11621 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11622 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 11623 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{2ccb0d8d-ea94-4235-986b-c97f61f63969}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}" } ], "repeated": 0, "id": 11624 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderType" } ], "repeated": 0, "id": 11625 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderName" } ], "repeated": 0, "id": 11626 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ApplicationIdentity" } ], "repeated": 0, "id": 11627 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\drivers\\tcpip.sys" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ApplicationIdentity" } ], "repeated": 0, "id": 11628 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11629 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}" } ], "repeated": 0, "id": 11630 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\InstanceType" } ], "repeated": 0, "id": 11631 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NameResource" } ], "repeated": 0, "id": 11632 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2002" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\ExplainResource" } ], "repeated": 0, "id": 11633 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5484" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\First Counter" } ], "repeated": 0, "id": 11634 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5496" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\Last Counter" } ], "repeated": 0, "id": 11635 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NeutralName" } ], "repeated": 0, "id": 11636 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Network QoS Policy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NeutralName" } ], "repeated": 0, "id": 11637 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterBlock" } ], "repeated": 0, "id": 11638 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\xd4\\x07\\x00\\x00\\xd6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\xd8\\x07\\x00\\x00\\xda\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfa\\xff\\xff\\xff\\xdc\\x07\\x00\\x00\\xde\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\xe0\\x07\\x00\\x00\\xe2\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x07\\x00\\x00\\xe6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x07\\x00\\x00\\xea\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterBlock" } ], "repeated": 0, "id": 11639 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterCount" } ], "repeated": 0, "id": 11640 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11641 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11642 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11643 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "6" } ], "repeated": 0, "id": 11644 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{2ea0b998-e7e8-41c6-8abc-093083ea21d7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}" } ], "repeated": 0, "id": 11645 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderType" } ], "repeated": 0, "id": 11646 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderName" } ], "repeated": 0, "id": 11647 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ApplicationIdentity" } ], "repeated": 0, "id": 11648 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%windir%\\system32\\appvetwclientres.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ApplicationIdentity" } ], "repeated": 0, "id": 11649 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11650 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{687d8f80-ffea-4de5-a41f-3e1c83378839}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}" } ], "repeated": 0, "id": 11651 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\InstanceType" } ], "repeated": 0, "id": 11652 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "102" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\NameResource" } ], "repeated": 0, "id": 11653 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "100" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\ExplainResource" } ], "repeated": 0, "id": 11654 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9504" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\First Counter" } ], "repeated": 0, "id": 11655 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9506" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\Last Counter" } ], "repeated": 0, "id": 11656 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterBlock" } ], "repeated": 0, "id": 11657 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00j\\x00\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterBlock" } ], "repeated": 0, "id": 11658 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterCount" } ], "repeated": 0, "id": 11659 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11660 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11661 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11662 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "7" } ], "repeated": 0, "id": 11663 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{31a5ebe2-c765-490a-937c-b0ab2787fe15}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}" } ], "repeated": 0, "id": 11664 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderType" } ], "repeated": 0, "id": 11665 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderName" } ], "repeated": 0, "id": 11666 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ApplicationIdentity" } ], "repeated": 0, "id": 11667 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%systemroot%\\system32\\drivers\\mrxsmb.sys" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ApplicationIdentity" } ], "repeated": 0, "id": 11668 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11669 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}" } ], "repeated": 0, "id": 11670 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\InstanceType" } ], "repeated": 0, "id": 11671 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NameResource" } ], "repeated": 0, "id": 11672 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\ExplainResource" } ], "repeated": 0, "id": 11673 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5400" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\First Counter" } ], "repeated": 0, "id": 11674 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5466" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\Last Counter" } ], "repeated": 0, "id": 11675 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NeutralName" } ], "repeated": 0, "id": 11676 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SMB Client Shares" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NeutralName" } ], "repeated": 0, "id": 11677 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterBlock" } ], "repeated": 0, "id": 11678 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x05\\x02@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x05\\x02@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00+\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x00\\x00\\x00/\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x04\\x03@" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterBlock" } ], "repeated": 0, "id": 11679 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "33" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterCount" } ], "repeated": 0, "id": 11680 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11681 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11682 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11683 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "8" } ], "repeated": 0, "id": 11684 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{3817cb9c-49a8-436b-bc29-5518877d3c3a}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}" } ], "repeated": 0, "id": 11685 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderType" } ], "repeated": 0, "id": 11686 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderName" } ], "repeated": 0, "id": 11687 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Microsoft-Windows-W32Time-Perf" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderName" } ], "repeated": 0, "id": 11688 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ApplicationIdentity" } ], "repeated": 0, "id": 11689 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%systemroot%\\system32\\w32time.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ApplicationIdentity" } ], "repeated": 0, "id": 11690 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11691 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{82fa211f-e7f8-4ab5-a04c-cc523073b971}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}" } ], "repeated": 0, "id": 11692 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\InstanceType" } ], "repeated": 0, "id": 11693 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\NameResource" } ], "repeated": 0, "id": 11694 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\ExplainResource" } ], "repeated": 0, "id": 11695 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5468" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\First Counter" } ], "repeated": 0, "id": 11696 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5482" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\Last Counter" } ], "repeated": 0, "id": 11697 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterBlock" } ], "repeated": 0, "id": 11698 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterBlock" } ], "repeated": 0, "id": 11699 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterCount" } ], "repeated": 0, "id": 11700 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11701 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11702 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11703 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "9" } ], "repeated": 0, "id": 11704 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{383487a6-3676-4870-a4e7-d45b30c35629}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}" } ], "repeated": 0, "id": 11705 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderType" } ], "repeated": 0, "id": 11706 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderName" } ], "repeated": 0, "id": 11707 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ApplicationIdentity" } ], "repeated": 0, "id": 11708 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\advapi32res.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ApplicationIdentity" } ], "repeated": 0, "id": 11709 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11710 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}" } ], "repeated": 0, "id": 11711 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\InstanceType" } ], "repeated": 0, "id": 11712 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "309" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NameResource" } ], "repeated": 0, "id": 11713 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "311" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\ExplainResource" } ], "repeated": 0, "id": 11714 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3702" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\First Counter" } ], "repeated": 0, "id": 11715 }, { "timestamp": "2026-05-28 22:01:58,350", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3786" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\Last Counter" } ], "repeated": 0, "id": 11716 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NeutralName" } ], "repeated": 0, "id": 11717 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SynchronizationNuma" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NeutralName" } ], "repeated": 0, "id": 11718 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterBlock" } ], "repeated": 0, "id": 11719 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x01\\x00\\x00;\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x01\\x00\\x00?\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x01\\x00\\x00C\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\x01\\x00\\x00G\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00I\\x01\\x00\\x00K\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x01\\x00\\x00O\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Q\\x01\\x00\\x00S\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00U\\x01\\x00\\x00W\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x01\\x00\\x00[\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x04A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterBlock" } ], "repeated": 0, "id": 11720 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "42" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterCount" } ], "repeated": 0, "id": 11721 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11722 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11723 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{370e979a-377a-4f30-b2c4-9a0fd072890b}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}" } ], "repeated": 0, "id": 11724 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\InstanceType" } ], "repeated": 0, "id": 11725 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "85" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NameResource" } ], "repeated": 0, "id": 11726 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "87" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\ExplainResource" } ], "repeated": 0, "id": 11727 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3590" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\First Counter" } ], "repeated": 0, "id": 11728 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3674" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\Last Counter" } ], "repeated": 0, "id": 11729 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NeutralName" } ], "repeated": 0, "id": 11730 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Synchronization" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NeutralName" } ], "repeated": 0, "id": 11731 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterBlock" } ], "repeated": 0, "id": 11732 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x00\\x00\\x00[\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x00\\x00\\x00_\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00\\x00\\x00c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x00\\x00g\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00\\x00\\x00k\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00\\x00\\x00o\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00q\\x00\\x00\\x00s\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00u\\x00\\x00\\x00w\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x00\\x00\\x00{\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x04A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterBlock" } ], "repeated": 0, "id": 11733 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "42" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterCount" } ], "repeated": 0, "id": 11734 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11735 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 11736 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{42cd0051-9dd9-4fe2-8db9-d37885d2d749}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}" } ], "repeated": 0, "id": 11737 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\InstanceType" } ], "repeated": 0, "id": 11738 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "257" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NameResource" } ], "repeated": 0, "id": 11739 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "259" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\ExplainResource" } ], "repeated": 0, "id": 11740 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3676" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\First Counter" } ], "repeated": 0, "id": 11741 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3688" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\Last Counter" } ], "repeated": 0, "id": 11742 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NeutralName" } ], "repeated": 0, "id": 11743 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Event Tracing for Windows" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NeutralName" } ], "repeated": 0, "id": 11744 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterBlock" } ], "repeated": 0, "id": 11745 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x00\\x00\\x07\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x01\\x00\\x00\\x0b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x01\\x00\\x00\\x0f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x01\\x00\\x00\\x13\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x01\\x00\\x00\\x17\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x01\\x00\\x00\\x1b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterBlock" } ], "repeated": 0, "id": 11746 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterCount" } ], "repeated": 0, "id": 11747 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11748 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 11749 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{52bc5412-dac2-449c-8bc2-96443888fe6b}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}" } ], "repeated": 0, "id": 11750 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\InstanceType" } ], "repeated": 0, "id": 11751 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "503" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NameResource" } ], "repeated": 0, "id": 11752 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "501" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\ExplainResource" } ], "repeated": 0, "id": 11753 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3794" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\First Counter" } ], "repeated": 0, "id": 11754 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3802" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\Last Counter" } ], "repeated": 0, "id": 11755 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NeutralName" } ], "repeated": 0, "id": 11756 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Thermal Zone Information" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NeutralName" } ], "repeated": 0, "id": 11757 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterBlock" } ], "repeated": 0, "id": 11758 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\x01\\x00\\x00\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\xfd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x00\\x00\\x05\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterBlock" } ], "repeated": 0, "id": 11759 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterCount" } ], "repeated": 0, "id": 11760 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11761 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 11762 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{b4fc721a-0378-476f-89ba-a5a79f810b36}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}" } ], "repeated": 0, "id": 11763 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\InstanceType" } ], "repeated": 0, "id": 11764 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NameResource" } ], "repeated": 0, "id": 11765 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\ExplainResource" } ], "repeated": 0, "id": 11766 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3518" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\First Counter" } ], "repeated": 0, "id": 11767 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3588" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\Last Counter" } ], "repeated": 0, "id": 11768 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NeutralName" } ], "repeated": 0, "id": 11769 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Processor Information" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NeutralName" } ], "repeated": 0, "id": 11770 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterBlock" } ], "repeated": 0, "id": 11771 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x05Q!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x05Q " }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterBlock" } ], "repeated": 0, "id": 11772 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "35" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterCount" } ], "repeated": 0, "id": 11773 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11774 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 11775 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{ed83b00b-6afd-4063-9420-16fe0fa3b36f}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}" } ], "repeated": 0, "id": 11776 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\InstanceType" } ], "repeated": 0, "id": 11777 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "285" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NameResource" } ], "repeated": 0, "id": 11778 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "287" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\ExplainResource" } ], "repeated": 0, "id": 11779 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3690" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\First Counter" } ], "repeated": 0, "id": 11780 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3700" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\Last Counter" } ], "repeated": 0, "id": 11781 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NeutralName" } ], "repeated": 0, "id": 11782 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Event Tracing for Windows Session" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NeutralName" } ], "repeated": 0, "id": 11783 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterBlock" } ], "repeated": 0, "id": 11784 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x01\\x00\\x00#\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x01\\x00\\x00'\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x01\\x00\\x00+\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x01\\x00\\x00/\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x01\\x00\\x003\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterBlock" } ], "repeated": 0, "id": 11785 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterCount" } ], "repeated": 0, "id": 11786 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11787 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "6" } ], "repeated": 0, "id": 11788 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{f596750d-b109-4247-a62f-dea47a46e505}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}" } ], "repeated": 0, "id": 11789 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\InstanceType" } ], "repeated": 0, "id": 11790 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "483" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NameResource" } ], "repeated": 0, "id": 11791 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "481" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\ExplainResource" } ], "repeated": 0, "id": 11792 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3788" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\First Counter" } ], "repeated": 0, "id": 11793 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3792" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\Last Counter" } ], "repeated": 0, "id": 11794 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NeutralName" } ], "repeated": 0, "id": 11795 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "FileSystem Disk Activity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NeutralName" } ], "repeated": 0, "id": 11796 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterBlock" } ], "repeated": 0, "id": 11797 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe7\\x01\\x00\\x00\\xe5\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x01\\x00\\x00\\xe9\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterBlock" } ], "repeated": 0, "id": 11798 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterCount" } ], "repeated": 0, "id": 11799 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11800 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "7" } ], "repeated": 0, "id": 11801 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11802 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "10" } ], "repeated": 0, "id": 11803 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{3def464b-f31b-4117-8fb7-bb829a0e1a15}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}" } ], "repeated": 0, "id": 11804 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderType" } ], "repeated": 0, "id": 11805 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderName" } ], "repeated": 0, "id": 11806 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ApplicationIdentity" } ], "repeated": 0, "id": 11807 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\drivers\\ndis.sys" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ApplicationIdentity" } ], "repeated": 0, "id": 11808 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11809 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{2617bf8d-bedc-4231-b92b-1dd2d34ee225}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}" } ], "repeated": 0, "id": 11810 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\InstanceType" } ], "repeated": 0, "id": 11811 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "911" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NameResource" } ], "repeated": 0, "id": 11812 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "913" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\ExplainResource" } ], "repeated": 0, "id": 11813 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3060" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\First Counter" } ], "repeated": 0, "id": 11814 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3086" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\Last Counter" } ], "repeated": 0, "id": 11815 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NeutralName" } ], "repeated": 0, "id": 11816 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PacketDirect EC Utilization" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NeutralName" } ], "repeated": 0, "id": 11817 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterBlock" } ], "repeated": 0, "id": 11818 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9f\\x03\\x00\\x00\\xa1\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\x03\\x00\\x00\\xad\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaf\\x03\\x00\\x00\\xb1\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb3\\x03\\x00\\x00\\xb5\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb7\\x03\\x00\\x00\\xb9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x01\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x04\\xc2 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbb\\x03\\x00\\x00\\xbd\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x05G \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf\\x03\\x00\\x00\\xc1\\x03\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x05G " }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterBlock" } ], "repeated": 0, "id": 11819 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "13" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterCount" } ], "repeated": 0, "id": 11820 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11821 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11822 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}" } ], "repeated": 0, "id": 11823 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\InstanceType" } ], "repeated": 0, "id": 11824 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "301" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NameResource" } ], "repeated": 0, "id": 11825 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "303" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\ExplainResource" } ], "repeated": 0, "id": 11826 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2992" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\First Counter" } ], "repeated": 0, "id": 11827 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3012" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\Last Counter" } ], "repeated": 0, "id": 11828 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NeutralName" } ], "repeated": 0, "id": 11829 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "RDMA Activity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NeutralName" } ], "repeated": 0, "id": 11830 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterBlock" } ], "repeated": 0, "id": 11831 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x01\\x00\\x003\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x01\\x00\\x007\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x01\\x00\\x00;\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x01\\x00\\x00?\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x01\\x00\\x00C\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x95\\x01\\x00\\x00\\x97\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\x01\\x00\\x00\\x9b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9d\\x01\\x00\\x00\\x9f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\x01\\x00\\x00\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x05A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterBlock" } ], "repeated": 0, "id": 11832 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterCount" } ], "repeated": 0, "id": 11833 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11834 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 11835 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{59ceb84f-55ff-48c0-80cc-df0068501814}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}" } ], "repeated": 0, "id": 11836 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\InstanceType" } ], "repeated": 0, "id": 11837 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "841" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NameResource" } ], "repeated": 0, "id": 11838 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "843" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\ExplainResource" } ], "repeated": 0, "id": 11839 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3036" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\First Counter" } ], "repeated": 0, "id": 11840 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3048" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\Last Counter" } ], "repeated": 0, "id": 11841 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NeutralName" } ], "repeated": 0, "id": 11842 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PacketDirect Receive Counters" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NeutralName" } ], "repeated": 0, "id": 11843 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterBlock" } ], "repeated": 0, "id": 11844 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x03\\x00\\x00O\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00Q\\x03\\x00\\x00S\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00U\\x03\\x00\\x00W\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x03\\x00\\x00[\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x03\\x00\\x00_\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x03\\x00\\x00c\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterBlock" } ], "repeated": 0, "id": 11845 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterCount" } ], "repeated": 0, "id": 11846 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11847 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 11848 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}" } ], "repeated": 0, "id": 11849 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\InstanceType" } ], "repeated": 0, "id": 11850 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "981" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NameResource" } ], "repeated": 0, "id": 11851 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "983" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\ExplainResource" } ], "repeated": 0, "id": 11852 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3088" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\First Counter" } ], "repeated": 0, "id": 11853 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3092" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\Last Counter" } ], "repeated": 0, "id": 11854 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NeutralName" } ], "repeated": 0, "id": 11855 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PacketDirect Queue Depth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NeutralName" } ], "repeated": 0, "id": 11856 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterBlock" } ], "repeated": 0, "id": 11857 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\x03\\x00\\x00\\xdb\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\x03\\x00\\x00\\xdf\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterBlock" } ], "repeated": 0, "id": 11858 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterCount" } ], "repeated": 0, "id": 11859 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11860 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 11861 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{987a3601-c362-48e4-a856-e28f070efb07}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}" } ], "repeated": 0, "id": 11862 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\InstanceType" } ], "repeated": 0, "id": 11863 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "77" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NameResource" } ], "repeated": 0, "id": 11864 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "79" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\ExplainResource" } ], "repeated": 0, "id": 11865 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2964" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\First Counter" } ], "repeated": 0, "id": 11866 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2990" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\Last Counter" } ], "repeated": 0, "id": 11867 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NeutralName" } ], "repeated": 0, "id": 11868 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Per Processor Network Activity Cycles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NeutralName" } ], "repeated": 0, "id": 11869 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterBlock" } ], "repeated": 0, "id": 11870 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Q\\x00\\x00\\x00S\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00U\\x00\\x00\\x00W\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x00\\x00\\x00[\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x00\\x00\\x00_\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00\\x00\\x00c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x00\\x00g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00\\x00\\x00k\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00\\x00\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00q\\x00\\x00\\x00s\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterBlock" } ], "repeated": 0, "id": 11871 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "13" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterCount" } ], "repeated": 0, "id": 11872 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11873 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 11874 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{9acaa205-c3ed-4acd-a911-6554d156b095}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}" } ], "repeated": 0, "id": 11875 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\InstanceType" } ], "repeated": 0, "id": 11876 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NameResource" } ], "repeated": 0, "id": 11877 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\ExplainResource" } ], "repeated": 0, "id": 11878 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2912" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\First Counter" } ], "repeated": 0, "id": 11879 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2962" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\Last Counter" } ], "repeated": 0, "id": 11880 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NeutralName" } ], "repeated": 0, "id": 11881 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Per Processor Network Interface Card Activity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NeutralName" } ], "repeated": 0, "id": 11882 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterBlock" } ], "repeated": 0, "id": 11883 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x05A\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x05A\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85\\x00\\x00\\x00\\x87\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x93\\x00\\x00\\x00\\x91\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterBlock" } ], "repeated": 0, "id": 11884 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "25" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterCount" } ], "repeated": 0, "id": 11885 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11886 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "6" } ], "repeated": 0, "id": 11887 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{9acaa206-c3ed-4acd-a911-6554d156b095}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}" } ], "repeated": 0, "id": 11888 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\InstanceType" } ], "repeated": 0, "id": 11889 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "801" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NameResource" } ], "repeated": 0, "id": 11890 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "803" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\ExplainResource" } ], "repeated": 0, "id": 11891 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3014" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\First Counter" } ], "repeated": 0, "id": 11892 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3024" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\Last Counter" } ], "repeated": 0, "id": 11893 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NeutralName" } ], "repeated": 0, "id": 11894 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Physical Network Interface Card Activity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NeutralName" } ], "repeated": 0, "id": 11895 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterBlock" } ], "repeated": 0, "id": 11896 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x03\\x00\\x00'\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x03\\x00\\x00+\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05\\x02 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x03\\x00\\x00/\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x03\\x00\\x003\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterBlock" } ], "repeated": 0, "id": 11897 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterCount" } ], "repeated": 0, "id": 11898 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11899 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "7" } ], "repeated": 0, "id": 11900 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{c0fe4189-5cfa-4659-9eba-10541cc395a0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}" } ], "repeated": 0, "id": 11901 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\InstanceType" } ], "repeated": 0, "id": 11902 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "821" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NameResource" } ], "repeated": 0, "id": 11903 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "823" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\ExplainResource" } ], "repeated": 0, "id": 11904 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3026" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\First Counter" } ], "repeated": 0, "id": 11905 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3034" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\Last Counter" } ], "repeated": 0, "id": 11906 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NeutralName" } ], "repeated": 0, "id": 11907 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PacketDirect Transmit Counters" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NeutralName" } ], "repeated": 0, "id": 11908 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterBlock" } ], "repeated": 0, "id": 11909 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x03\\x00\\x00;\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x03\\x00\\x00?\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x03\\x00\\x00C\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\x03\\x00\\x00G\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterBlock" } ], "repeated": 0, "id": 11910 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterCount" } ], "repeated": 0, "id": 11911 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11912 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "8" } ], "repeated": 0, "id": 11913 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{c5a19aba-349b-49cc-94c8-f36404082727}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}" } ], "repeated": 0, "id": 11914 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\InstanceType" } ], "repeated": 0, "id": 11915 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "869" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NameResource" } ], "repeated": 0, "id": 11916 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "871" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\ExplainResource" } ], "repeated": 0, "id": 11917 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3050" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\First Counter" } ], "repeated": 0, "id": 11918 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3058" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\Last Counter" } ], "repeated": 0, "id": 11919 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NeutralName" } ], "repeated": 0, "id": 11920 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "PacketDirect Receive Filters" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NeutralName" } ], "repeated": 0, "id": 11921 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterBlock" } ], "repeated": 0, "id": 11922 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x03\\x00\\x00k\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x03\\x00\\x00q\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\x03\\x00\\x00u\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00w\\x03\\x00\\x00y\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterBlock" } ], "repeated": 0, "id": 11923 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterCount" } ], "repeated": 0, "id": 11924 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11925 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "9" } ], "repeated": 0, "id": 11926 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11927 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "11" } ], "repeated": 0, "id": 11928 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{3e785595-30c2-437d-96ed-677d14724610}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}" } ], "repeated": 0, "id": 11929 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderType" } ], "repeated": 0, "id": 11930 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderName" } ], "repeated": 0, "id": 11931 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "Distributed Routing Table Perf" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderName" } ], "repeated": 0, "id": 11932 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ApplicationIdentity" } ], "repeated": 0, "id": 11933 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "drt.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ApplicationIdentity" } ], "repeated": 0, "id": 11934 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11935 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{6ca1716d-53cd-468a-a1b3-59032c19c166}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}" } ], "repeated": 0, "id": 11936 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\InstanceType" } ], "repeated": 0, "id": 11937 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\NameResource" } ], "repeated": 0, "id": 11938 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\ExplainResource" } ], "repeated": 0, "id": 11939 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4020" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\First Counter" } ], "repeated": 0, "id": 11940 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4072" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\Last Counter" } ], "repeated": 0, "id": 11941 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterBlock" } ], "repeated": 0, "id": 11942 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x04A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterBlock" } ], "repeated": 0, "id": 11943 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "26" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterCount" } ], "repeated": 0, "id": 11944 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11945 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11946 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11947 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "12" } ], "repeated": 0, "id": 11948 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{408443b2-2164-418a-ad52-c761f93310f3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}" } ], "repeated": 0, "id": 11949 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderType" } ], "repeated": 0, "id": 11950 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderName" } ], "repeated": 0, "id": 11951 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ApplicationIdentity" } ], "repeated": 0, "id": 11952 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%SystemRoot%\\system32\\drivers\\usbxhci.sys" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ApplicationIdentity" } ], "repeated": 0, "id": 11953 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 11954 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{c3cf1c57-275d-4b71-a5a6-e4e90401b821}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}" } ], "repeated": 0, "id": 11955 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\InstanceType" } ], "repeated": 0, "id": 11956 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "201" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NameResource" } ], "repeated": 0, "id": 11957 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "203" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\ExplainResource" } ], "repeated": 0, "id": 11958 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3980" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\First Counter" } ], "repeated": 0, "id": 11959 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3988" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\Last Counter" } ], "repeated": 0, "id": 11960 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NeutralName" } ], "repeated": 0, "id": 11961 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "XHCI CommonBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NeutralName" } ], "repeated": 0, "id": 11962 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterBlock" } ], "repeated": 0, "id": 11963 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x00\\x00\\x00\\xcf\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x00\\x00\\x00\\xd3\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd5\\x00\\x00\\x00\\xd7\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\x00\\x00\\x00\\xdb\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterBlock" } ], "repeated": 0, "id": 11964 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterCount" } ], "repeated": 0, "id": 11965 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11966 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 11967 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{e363bd27-bfbd-4581-a142-ecc006a7b82b}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}" } ], "repeated": 0, "id": 11968 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\InstanceType" } ], "repeated": 0, "id": 11969 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "101" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NameResource" } ], "repeated": 0, "id": 11970 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "103" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\ExplainResource" } ], "repeated": 0, "id": 11971 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3990" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\First Counter" } ], "repeated": 0, "id": 11972 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "4004" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\Last Counter" } ], "repeated": 0, "id": 11973 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NeutralName" } ], "repeated": 0, "id": 11974 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "XHCI TransferRing" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NeutralName" } ], "repeated": 0, "id": 11975 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterBlock" } ], "repeated": 0, "id": 11976 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00\\x00\\x00k\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00\\x00\\x00o\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00q\\x00\\x00\\x00s\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00u\\x00\\x00\\x00w\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x00\\x00\\x00{\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00}\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x83\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterBlock" } ], "repeated": 0, "id": 11977 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "7" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterCount" } ], "repeated": 0, "id": 11978 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11979 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 11980 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}" } ], "repeated": 0, "id": 11981 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\InstanceType" } ], "repeated": 0, "id": 11982 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NameResource" } ], "repeated": 0, "id": 11983 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\ExplainResource" } ], "repeated": 0, "id": 11984 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3966" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\First Counter" } ], "repeated": 0, "id": 11985 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3978" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\Last Counter" } ], "repeated": 0, "id": 11986 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NeutralName" } ], "repeated": 0, "id": 11987 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "XHCI Interrupter" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NeutralName" } ], "repeated": 0, "id": 11988 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterBlock" } ], "repeated": 0, "id": 11989 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05\\x02@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x02\\x04\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterBlock" } ], "repeated": 0, "id": 11990 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterCount" } ], "repeated": 0, "id": 11991 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 11992 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 11993 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 11994 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "13" } ], "repeated": 0, "id": 11995 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{420a6c98-914e-40fc-9a0f-80c7db801780}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}" } ], "repeated": 0, "id": 11996 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderType" } ], "repeated": 0, "id": 11997 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderName" } ], "repeated": 0, "id": 11998 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ApplicationIdentity" } ], "repeated": 0, "id": 11999 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "NetLogon.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ApplicationIdentity" } ], "repeated": 0, "id": 12000 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12001 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{a44a45c2-664d-476c-b68c-6b123eccc31f}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}" } ], "repeated": 0, "id": 12002 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\InstanceType" } ], "repeated": 0, "id": 12003 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\NameResource" } ], "repeated": 0, "id": 12004 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2002" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\ExplainResource" } ], "repeated": 0, "id": 12005 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6332" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\First Counter" } ], "repeated": 0, "id": 12006 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6348" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\Last Counter" } ], "repeated": 0, "id": 12007 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterBlock" } ], "repeated": 0, "id": 12008 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\x07\\x00\\x00\\xd6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x07\\x00\\x00\\xda\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdc\\x07\\x00\\x00\\xde\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x07\\x00\\x00\\xe2\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x07\\x00\\x00\\xe6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x02\\x04\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x07\\x00\\x00\\xea\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xec\\x07\\x00\\x00\\xee\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x02\\x04\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x07\\x00\\x00\\xf2\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterBlock" } ], "repeated": 0, "id": 12009 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterCount" } ], "repeated": 0, "id": 12010 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12011 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12012 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12013 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "14" } ], "repeated": 0, "id": 12014 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{4d4bac91-2b54-4f84-be36-cf74389f8f49}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}" } ], "repeated": 0, "id": 12015 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderType" } ], "repeated": 0, "id": 12016 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderName" } ], "repeated": 0, "id": 12017 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ApplicationIdentity" } ], "repeated": 0, "id": 12018 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "%systemroot%\\system32\\drivers\\srv2.sys" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ApplicationIdentity" } ], "repeated": 0, "id": 12019 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12020 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{d30c5234-f79d-44a9-9803-2f9d5feef791}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}" } ], "repeated": 0, "id": 12021 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\InstanceType" } ], "repeated": 0, "id": 12022 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3003" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NameResource" } ], "repeated": 0, "id": 12023 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3001" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\ExplainResource" } ], "repeated": 0, "id": 12024 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5864" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\First Counter" } ], "repeated": 0, "id": 12025 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5876" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\Last Counter" } ], "repeated": 0, "id": 12026 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NeutralName" } ], "repeated": 0, "id": 12027 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SMB Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NeutralName" } ], "repeated": 0, "id": 12028 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterBlock" } ], "repeated": 0, "id": 12029 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf\\x0b\\x00\\x00\\xbd\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc3\\x0b\\x00\\x00\\xc1\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\x0b\\x00\\x00\\xc5\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcb\\x0b\\x00\\x00\\xc9\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\x0b\\x00\\x00\\xcd\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd3\\x0b\\x00\\x00\\xd1\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterBlock" } ], "repeated": 0, "id": 12030 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterCount" } ], "repeated": 0, "id": 12031 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12032 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12033 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{e6e560b2-062f-41ca-89ab-f6987f2b7a25}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}" } ], "repeated": 0, "id": 12034 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\InstanceType" } ], "repeated": 0, "id": 12035 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2003" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NameResource" } ], "repeated": 0, "id": 12036 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2001" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\ExplainResource" } ], "repeated": 0, "id": 12037 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5772" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\First Counter" } ], "repeated": 0, "id": 12038 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5862" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\Last Counter" } ], "repeated": 0, "id": 12039 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NeutralName" } ], "repeated": 0, "id": 12040 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SMB Server Sessions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NeutralName" } ], "repeated": 0, "id": 12041 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterBlock" } ], "repeated": 0, "id": 12042 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdb\\x07\\x00\\x00\\xd9\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe3\\x07\\x00\\x00\\xe1\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe7\\x07\\x00\\x00\\xe5\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x07\\x00\\x00\\xe9\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf3\\x07\\x00\\x00\\xf1\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\x07\\x00\\x00\\xf9\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x07\\x00\\x00\\xfd\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x08\\x00\\x00\\x05\\x08\\x00\\x00\\x01\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x00\\x04A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterBlock" } ], "repeated": 0, "id": 12043 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "45" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterCount" } ], "repeated": 0, "id": 12044 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12045 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12046 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{f4681672-32dc-41db-8669-fdf490345ba5}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}" } ], "repeated": 0, "id": 12047 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\InstanceType" } ], "repeated": 0, "id": 12048 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NameResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NameResource" } ], "repeated": 0, "id": 12049 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "ExplainResource" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\ExplainResource" } ], "repeated": 0, "id": 12050 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "First Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5656" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\First Counter" } ], "repeated": 0, "id": 12051 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "5770" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\Last Counter" } ], "repeated": 0, "id": 12052 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NeutralName" } ], "repeated": 0, "id": 12053 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "NeutralName" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "SMB Server Shares" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NeutralName" } ], "repeated": 0, "id": 12054 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterBlock" } ], "repeated": 0, "id": 12055 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterBlock" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Information", "value": "\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xef\\x03\\x00\\x00\\xed\\x03\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf7\\x03\\x00\\x00\\xf5\\x03\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\x03\\x00\\x00\\xf9\\x03\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x04\\x00\\x00\\x01\\x04\\x00\\x00\\x01\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x00\\x04A\\x10" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterBlock" } ], "repeated": 0, "id": 12056 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "CounterCount" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "57" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterCount" } ], "repeated": 0, "id": 12057 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12058 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12059 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12060 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "15" } ], "repeated": 0, "id": 12061 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{57683f06-a08b-4708-8825-5c26f410744b}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}" } ], "repeated": 0, "id": 12062 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderType" } ], "repeated": 0, "id": 12063 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ProviderName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderName" } ], "repeated": 0, "id": 12064 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ApplicationIdentity" } ], "repeated": 0, "id": 12065 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "ValueName", "value": "ApplicationIdentity" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "rdpcorets.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ApplicationIdentity" } ], "repeated": 0, "id": 12066 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12067 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{d9ff82a4-a6a2-4fa5-899e-086ead3bab21}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{d9ff82a4-a6a2-4fa5-899e-086ead3bab21}" } ], "repeated": 0, "id": 12068 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "ValueName", "value": "InstanceType" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{d9ff82a4-a6a2-4fa5-899e-086ead3bab21}\\InstanceType" } ], "repeated": 0, "id": 12069 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12070 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12071 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{e0e99beb-f7d6-4402-ab36-e510d7048f22}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{e0e99beb-f7d6-4402-ab36-e510d7048f22}" } ], "repeated": 0, "id": 12072 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12073 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12074 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12075 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "16" } ], "repeated": 0, "id": 12076 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{57ec1e30-406c-48ee-8e96-5da71298991f}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57ec1e30-406c-48ee-8e96-5da71298991f}" } ], "repeated": 0, "id": 12077 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12078 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{6f1a94cb-68ed-4a84-9668-64e671e1ffef}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57ec1e30-406c-48ee-8e96-5da71298991f}\\{6f1a94cb-68ed-4a84-9668-64e671e1ffef}" } ], "repeated": 0, "id": 12079 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12080 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12081 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12082 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "17" } ], "repeated": 0, "id": 12083 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}" } ], "repeated": 0, "id": 12084 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12085 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{227419d5-f6d8-4fb7-85d6-2cac1725e4a9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{227419d5-f6d8-4fb7-85d6-2cac1725e4a9}" } ], "repeated": 0, "id": 12086 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12087 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12088 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{978c167d-4764-4d9c-9824-14747351dc81}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{978c167d-4764-4d9c-9824-14747351dc81}" } ], "repeated": 0, "id": 12089 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12090 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12091 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{be2139c7-ab81-424d-b107-d87f7c9322ac}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{be2139c7-ab81-424d-b107-d87f7c9322ac}" } ], "repeated": 0, "id": 12092 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12093 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12094 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{f802502b-77b4-4713-81b3-3be05759da5d}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{f802502b-77b4-4713-81b3-3be05759da5d}" } ], "repeated": 0, "id": 12095 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12096 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 12097 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{f9ed01f5-8f3e-4956-973f-9f05bc96f489}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{f9ed01f5-8f3e-4956-973f-9f05bc96f489}" } ], "repeated": 0, "id": 12098 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12099 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 12100 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12101 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "18" } ], "repeated": 0, "id": 12102 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{5db760bc-64b2-4da7-b4ef-7dab105fbb8c}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5db760bc-64b2-4da7-b4ef-7dab105fbb8c}" } ], "repeated": 0, "id": 12103 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12104 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{faa17411-9025-4b86-8b5e-ce2f32b06e13}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5db760bc-64b2-4da7-b4ef-7dab105fbb8c}\\{faa17411-9025-4b86-8b5e-ce2f32b06e13}" } ], "repeated": 0, "id": 12105 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12106 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12107 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12108 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "19" } ], "repeated": 0, "id": 12109 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{5e6554b3-ccf8-4769-b82b-798f4cce5483}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}" } ], "repeated": 0, "id": 12110 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12111 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{ac5e8416-9f39-4166-951f-88ee9635b1d8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}\\{ac5e8416-9f39-4166-951f-88ee9635b1d8}" } ], "repeated": 0, "id": 12112 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12113 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12114 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{b790d108-d503-47ec-9d7b-b39737b39dba}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}\\{b790d108-d503-47ec-9d7b-b39737b39dba}" } ], "repeated": 0, "id": 12115 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12116 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12117 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{e4a2b264-7187-41ca-aa73-7dc698d49ed1}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}\\{e4a2b264-7187-41ca-aa73-7dc698d49ed1}" } ], "repeated": 0, "id": 12118 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12119 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12120 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12121 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "20" } ], "repeated": 0, "id": 12122 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{62706b23-4f66-4c53-b6cc-c6600ccc2752}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}" } ], "repeated": 0, "id": 12123 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12124 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{08fb768b-1e55-4040-b153-e0ddbedd8042}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{08fb768b-1e55-4040-b153-e0ddbedd8042}" } ], "repeated": 0, "id": 12125 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12126 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12127 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{21a64f86-6cbe-47e1-a497-261226ca12f7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{21a64f86-6cbe-47e1-a497-261226ca12f7}" } ], "repeated": 0, "id": 12128 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12129 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12130 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{60aa43c9-c1b7-41bf-9b4c-b7f6cc1d93b9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{60aa43c9-c1b7-41bf-9b4c-b7f6cc1d93b9}" } ], "repeated": 0, "id": 12131 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12132 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12133 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{65faa5f0-141d-4f38-acf0-c79bb0c7be2d}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{65faa5f0-141d-4f38-acf0-c79bb0c7be2d}" } ], "repeated": 0, "id": 12134 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12135 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 12136 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{c0df9671-a0ea-4576-9f81-853127cf8d28}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{c0df9671-a0ea-4576-9f81-853127cf8d28}" } ], "repeated": 0, "id": 12137 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12138 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 12139 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12140 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "21" } ], "repeated": 0, "id": 12141 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{71cb4f3b-e29c-4619-a5d5-5fd6a68120ad}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{71cb4f3b-e29c-4619-a5d5-5fd6a68120ad}" } ], "repeated": 0, "id": 12142 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12143 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{3c8cb362-147c-4105-b98b-11fd7e671dd7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{71cb4f3b-e29c-4619-a5d5-5fd6a68120ad}\\{3c8cb362-147c-4105-b98b-11fd7e671dd7}" } ], "repeated": 0, "id": 12144 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12145 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12146 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{7b08ee8b-88d7-4cad-a06f-70d1c4b65ee7}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{71cb4f3b-e29c-4619-a5d5-5fd6a68120ad}\\{7b08ee8b-88d7-4cad-a06f-70d1c4b65ee7}" } ], "repeated": 0, "id": 12147 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12148 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12149 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12150 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "22" } ], "repeated": 0, "id": 12151 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{74800676-866f-4bbd-8680-dac6a6fb6c8e}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{74800676-866f-4bbd-8680-dac6a6fb6c8e}" } ], "repeated": 0, "id": 12152 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12153 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{06ebf20d-17fb-4338-a08d-7a99f17ca678}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{74800676-866f-4bbd-8680-dac6a6fb6c8e}\\{06ebf20d-17fb-4338-a08d-7a99f17ca678}" } ], "repeated": 0, "id": 12154 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12155 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12156 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{ad8644c4-ae02-4b22-990d-52b491f91c26}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{74800676-866f-4bbd-8680-dac6a6fb6c8e}\\{ad8644c4-ae02-4b22-990d-52b491f91c26}" } ], "repeated": 0, "id": 12157 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12158 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12159 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12160 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "23" } ], "repeated": 0, "id": 12161 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}" } ], "repeated": 0, "id": 12162 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12163 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{16dcff2c-91a3-4e6a-8135-0a9e6681c1b5}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\\{16dcff2c-91a3-4e6a-8135-0a9e6681c1b5}" } ], "repeated": 0, "id": 12164 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12165 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12166 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{8ebb0470-da6d-485b-8441-8e06b049157a}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\\{8ebb0470-da6d-485b-8441-8e06b049157a}" } ], "repeated": 0, "id": 12167 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12168 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12169 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{e829b6db-21ab-453b-83c9-d980ec708edd}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\\{e829b6db-21ab-453b-83c9-d980ec708edd}" } ], "repeated": 0, "id": 12170 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12171 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12172 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12173 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "24" } ], "repeated": 0, "id": 12174 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{898a4828-e6e6-4ddd-abb2-5751e3949aa4}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{898a4828-e6e6-4ddd-abb2-5751e3949aa4}" } ], "repeated": 0, "id": 12175 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12176 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{115b92b4-7191-491a-a9b5-93c8e9fb641b}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{898a4828-e6e6-4ddd-abb2-5751e3949aa4}\\{115b92b4-7191-491a-a9b5-93c8e9fb641b}" } ], "repeated": 0, "id": 12177 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12178 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12179 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12180 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "25" } ], "repeated": 0, "id": 12181 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{9eeedeb1-de39-4fba-9cd5-6521b9f19984}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{9eeedeb1-de39-4fba-9cd5-6521b9f19984}" } ], "repeated": 0, "id": 12182 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12183 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{2b048375-f829-4b1d-b117-681e9ead1d50}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{9eeedeb1-de39-4fba-9cd5-6521b9f19984}\\{2b048375-f829-4b1d-b117-681e9ead1d50}" } ], "repeated": 0, "id": 12184 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12185 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12186 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{c71cfb00-0ecc-43a3-bf5a-a90ca7718033}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{9eeedeb1-de39-4fba-9cd5-6521b9f19984}\\{c71cfb00-0ecc-43a3-bf5a-a90ca7718033}" } ], "repeated": 0, "id": 12187 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12188 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12189 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12190 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "26" } ], "repeated": 0, "id": 12191 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{a18453e4-433b-4d33-ac66-2551e3bba9be}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a18453e4-433b-4d33-ac66-2551e3bba9be}" } ], "repeated": 0, "id": 12192 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12193 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{66f19dff-a4dd-4802-8fbb-29e6a54af9da}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a18453e4-433b-4d33-ac66-2551e3bba9be}\\{66f19dff-a4dd-4802-8fbb-29e6a54af9da}" } ], "repeated": 0, "id": 12194 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12195 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12196 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12197 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "27" } ], "repeated": 0, "id": 12198 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{a3886623-dd46-48fc-a1f9-e3da35125995}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}" } ], "repeated": 0, "id": 12199 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12200 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{042478fc-1449-4b04-a0d8-ba5660ab739a}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{042478fc-1449-4b04-a0d8-ba5660ab739a}" } ], "repeated": 0, "id": 12201 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12202 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12203 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{3ab34489-ec07-4d11-a4bb-677b87cd58d9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{3ab34489-ec07-4d11-a4bb-677b87cd58d9}" } ], "repeated": 0, "id": 12204 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12205 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12206 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{3f0903d7-5b0b-493e-abf2-a36fd7ce2601}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{3f0903d7-5b0b-493e-abf2-a36fd7ce2601}" } ], "repeated": 0, "id": 12207 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12208 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12209 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{6800b902-8b06-11df-9561-f043dfd72085}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{6800b902-8b06-11df-9561-f043dfd72085}" } ], "repeated": 0, "id": 12210 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12211 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 12212 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{7495d5d9-ea6a-444d-afab-e3cae27c047b}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{7495d5d9-ea6a-444d-afab-e3cae27c047b}" } ], "repeated": 0, "id": 12213 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12214 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 12215 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{cd376bd3-9f6b-48c0-840e-1816b7a50fdc}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{cd376bd3-9f6b-48c0-840e-1816b7a50fdc}" } ], "repeated": 0, "id": 12216 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12217 }, { "timestamp": "2026-05-28 22:01:58,365", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "6" } ], "repeated": 0, "id": 12218 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12219 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "28" } ], "repeated": 0, "id": 12220 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{b1c6de93-e020-4ad9-9ca5-4dd5553004cf}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b1c6de93-e020-4ad9-9ca5-4dd5553004cf}" } ], "repeated": 0, "id": 12221 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12222 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{1045bf74-023b-445a-9e2b-2038ff4789a6}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b1c6de93-e020-4ad9-9ca5-4dd5553004cf}\\{1045bf74-023b-445a-9e2b-2038ff4789a6}" } ], "repeated": 0, "id": 12223 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12224 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12225 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{86b34670-d4bb-40c9-8301-33fb16675d61}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b1c6de93-e020-4ad9-9ca5-4dd5553004cf}\\{86b34670-d4bb-40c9-8301-33fb16675d61}" } ], "repeated": 0, "id": 12226 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12227 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12228 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12229 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "29" } ], "repeated": 0, "id": 12230 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{b9fcf33d-ba8f-4654-a5f2-bf58a5866ca8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b9fcf33d-ba8f-4654-a5f2-bf58a5866ca8}" } ], "repeated": 0, "id": 12231 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12232 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{bd4b1f37-d1f0-4fc5-996d-d4a21290f212}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b9fcf33d-ba8f-4654-a5f2-bf58a5866ca8}\\{bd4b1f37-d1f0-4fc5-996d-d4a21290f212}" } ], "repeated": 0, "id": 12233 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12234 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12235 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12236 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "30" } ], "repeated": 0, "id": 12237 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{ba888490-8281-4ac7-b0de-8cc46b314d43}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ba888490-8281-4ac7-b0de-8cc46b314d43}" } ], "repeated": 0, "id": 12238 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12239 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{06f6022a-82f9-48a5-bc16-074c1bed416c}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ba888490-8281-4ac7-b0de-8cc46b314d43}\\{06f6022a-82f9-48a5-bc16-074c1bed416c}" } ], "repeated": 0, "id": 12240 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12241 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12242 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12243 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "31" } ], "repeated": 0, "id": 12244 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{cb44ecb6-d88a-4b33-a39c-d6a9c03142a9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb44ecb6-d88a-4b33-a39c-d6a9c03142a9}" } ], "repeated": 0, "id": 12245 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12246 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{4e590c2e-2ad3-4138-8f61-4b08771dbbc8}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb44ecb6-d88a-4b33-a39c-d6a9c03142a9}\\{4e590c2e-2ad3-4138-8f61-4b08771dbbc8}" } ], "repeated": 0, "id": 12247 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12248 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12249 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12250 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "32" } ], "repeated": 0, "id": 12251 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{cb6d8ddc-a302-4349-88fd-9fcf6d3a7308}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7308}" } ], "repeated": 0, "id": 12252 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12253 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{19b5bae2-18c5-4ab8-99de-255f0e96760a}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7308}\\{19b5bae2-18c5-4ab8-99de-255f0e96760a}" } ], "repeated": 0, "id": 12254 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12255 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12256 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12257 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "33" } ], "repeated": 0, "id": 12258 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}" } ], "repeated": 0, "id": 12259 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12260 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{135f3513-bc27-4360-b281-0a36caceb1f2}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{135f3513-bc27-4360-b281-0a36caceb1f2}" } ], "repeated": 0, "id": 12261 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12262 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12263 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{19b5bae2-18c5-4ab8-99de-255f0e9676a0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{19b5bae2-18c5-4ab8-99de-255f0e9676a0}" } ], "repeated": 0, "id": 12264 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12265 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12266 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{8bc1703a-939f-4ee1-8785-b0fc5837feb2}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{8bc1703a-939f-4ee1-8785-b0fc5837feb2}" } ], "repeated": 0, "id": 12267 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12268 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12269 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{cc16fe4c-d638-492e-a924-519185396ebf}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{cc16fe4c-d638-492e-a924-519185396ebf}" } ], "repeated": 0, "id": 12270 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12271 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 12272 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12273 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "34" } ], "repeated": 0, "id": 12274 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{cc549940-0edf-41b1-8298-74c2627b6af9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc549940-0edf-41b1-8298-74c2627b6af9}" } ], "repeated": 0, "id": 12275 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12276 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{35a002b8-38a7-41eb-bedd-6610bb93f046}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc549940-0edf-41b1-8298-74c2627b6af9}\\{35a002b8-38a7-41eb-bedd-6610bb93f046}" } ], "repeated": 0, "id": 12277 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12278 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12279 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12280 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "35" } ], "repeated": 0, "id": 12281 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{cc629d13-f318-4c40-b1ed-d70bce524515}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc629d13-f318-4c40-b1ed-d70bce524515}" } ], "repeated": 0, "id": 12282 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12283 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{22ca1519-4394-4a5f-be88-84a5c853a4aa}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc629d13-f318-4c40-b1ed-d70bce524515}\\{22ca1519-4394-4a5f-be88-84a5c853a4aa}" } ], "repeated": 0, "id": 12284 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12285 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12286 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12287 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "36" } ], "repeated": 0, "id": 12288 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{db314ee3-3157-4e56-8fd9-2184874d195d}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{db314ee3-3157-4e56-8fd9-2184874d195d}" } ], "repeated": 0, "id": 12289 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12290 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{fb01b3ef-bb4a-4c48-9ab8-dc1871675e6d}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{db314ee3-3157-4e56-8fd9-2184874d195d}\\{fb01b3ef-bb4a-4c48-9ab8-dc1871675e6d}" } ], "repeated": 0, "id": 12291 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12292 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12293 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12294 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "37" } ], "repeated": 0, "id": 12295 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{ddf417dc-4cc3-4529-9ffc-1d04eb678da3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ddf417dc-4cc3-4529-9ffc-1d04eb678da3}" } ], "repeated": 0, "id": 12296 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12297 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{d53266b4-c9f5-4808-8a0f-d17bbf493416}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ddf417dc-4cc3-4529-9ffc-1d04eb678da3}\\{d53266b4-c9f5-4808-8a0f-d17bbf493416}" } ], "repeated": 0, "id": 12298 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12299 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12300 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12301 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "38" } ], "repeated": 0, "id": 12302 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{e08d5971-88fb-4799-b066-6978845f73c1}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{e08d5971-88fb-4799-b066-6978845f73c1}" } ], "repeated": 0, "id": 12303 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12304 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{b851890b-3e61-427a-ab94-461e088d4827}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{e08d5971-88fb-4799-b066-6978845f73c1}\\{b851890b-3e61-427a-ab94-461e088d4827}" } ], "repeated": 0, "id": 12305 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12306 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12307 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12308 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "39" } ], "repeated": 0, "id": 12309 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}" } ], "repeated": 0, "id": 12310 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12311 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{11ace151-4bac-44b0-8a82-0a859a5355d9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{11ace151-4bac-44b0-8a82-0a859a5355d9}" } ], "repeated": 0, "id": 12312 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12313 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12314 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{1cc9da8b-58a5-4c92-9a4e-f05f2a2ae7a3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{1cc9da8b-58a5-4c92-9a4e-f05f2a2ae7a3}" } ], "repeated": 0, "id": 12315 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12316 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12317 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{28d00a68-8309-4a3e-bf1d-0ebd27c75787}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{28d00a68-8309-4a3e-bf1d-0ebd27c75787}" } ], "repeated": 0, "id": 12318 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12319 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12320 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{40990512-fb18-4bbd-95e2-f72e8cdae178}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{40990512-fb18-4bbd-95e2-f72e8cdae178}" } ], "repeated": 0, "id": 12321 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12322 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 12323 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{40e6824e-1b9b-4329-9a6e-e94c8fb03a3f}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{40e6824e-1b9b-4329-9a6e-e94c8fb03a3f}" } ], "repeated": 0, "id": 12324 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12325 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "5" } ], "repeated": 0, "id": 12326 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{58276884-7f29-450d-bcfa-5be4b7266334}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{58276884-7f29-450d-bcfa-5be4b7266334}" } ], "repeated": 0, "id": 12327 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12328 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "6" } ], "repeated": 0, "id": 12329 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{63c158d0-2a4c-4509-8d27-29e935b69e5f}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{63c158d0-2a4c-4509-8d27-29e935b69e5f}" } ], "repeated": 0, "id": 12330 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12331 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "7" } ], "repeated": 0, "id": 12332 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{6b81611f-8998-47c2-9550-f7dc0324e620}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{6b81611f-8998-47c2-9550-f7dc0324e620}" } ], "repeated": 0, "id": 12333 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12334 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "8" } ], "repeated": 0, "id": 12335 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{7a030929-9547-485c-ba6c-3e891612c2ce}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{7a030929-9547-485c-ba6c-3e891612c2ce}" } ], "repeated": 0, "id": 12336 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12337 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "9" } ], "repeated": 0, "id": 12338 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{83a3746d-a9ec-47c0-830f-6dd440b07666}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{83a3746d-a9ec-47c0-830f-6dd440b07666}" } ], "repeated": 0, "id": 12339 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12340 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "10" } ], "repeated": 0, "id": 12341 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{9815b8f4-d337-4eb4-a468-fc9a83bcce65}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{9815b8f4-d337-4eb4-a468-fc9a83bcce65}" } ], "repeated": 0, "id": 12342 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12343 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "11" } ], "repeated": 0, "id": 12344 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{a30f983f-321a-48b0-85c3-cab02781dd02}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{a30f983f-321a-48b0-85c3-cab02781dd02}" } ], "repeated": 0, "id": 12345 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12346 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "12" } ], "repeated": 0, "id": 12347 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{aaca5b25-a859-438d-93b6-924f63a2cb3c}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{aaca5b25-a859-438d-93b6-924f63a2cb3c}" } ], "repeated": 0, "id": 12348 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12349 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "13" } ], "repeated": 0, "id": 12350 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{e6e73867-856a-4574-a0ba-01c066d376f5}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{e6e73867-856a-4574-a0ba-01c066d376f5}" } ], "repeated": 0, "id": 12351 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12352 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "14" } ], "repeated": 0, "id": 12353 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12354 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "40" } ], "repeated": 0, "id": 12355 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{f25a20a5-fd7a-417b-afc3-76295ebac77c}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f25a20a5-fd7a-417b-afc3-76295ebac77c}" } ], "repeated": 0, "id": 12356 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12357 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{51bda498-67cb-479f-b898-57d2d73788f0}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f25a20a5-fd7a-417b-afc3-76295ebac77c}\\{51bda498-67cb-479f-b898-57d2d73788f0}" } ], "repeated": 0, "id": 12358 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12359 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12360 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{811bbce5-7327-4ad9-ab62-a8b955f61eef}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f25a20a5-fd7a-417b-afc3-76295ebac77c}\\{811bbce5-7327-4ad9-ab62-a8b955f61eef}" } ], "repeated": 0, "id": 12361 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12362 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12363 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12364 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "41" } ], "repeated": 0, "id": 12365 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}" } ], "repeated": 0, "id": 12366 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12367 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{9ff69334-839c-41fe-96e0-c5189ac431f2}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{9ff69334-839c-41fe-96e0-c5189ac431f2}" } ], "repeated": 0, "id": 12368 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12369 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12370 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{a8180dab-81d0-4e05-b76b-eb4c5fb37357}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{a8180dab-81d0-4e05-b76b-eb4c5fb37357}" } ], "repeated": 0, "id": 12371 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12372 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12373 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{c0c9c676-ac38-40d4-a23c-69f05d12a306}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{c0c9c676-ac38-40d4-a23c-69f05d12a306}" } ], "repeated": 0, "id": 12374 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12375 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "3" } ], "repeated": 0, "id": 12376 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{d7e69761-f919-4bfa-bbb6-bece1050a2ce}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{d7e69761-f919-4bfa-bbb6-bece1050a2ce}" } ], "repeated": 0, "id": 12377 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12378 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "4" } ], "repeated": 0, "id": 12379 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12380 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "42" } ], "repeated": 0, "id": 12381 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}" } ], "repeated": 0, "id": 12382 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12383 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{fc9e399c-c70a-4458-8430-ca249c371eb3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}\\{fc9e399c-c70a-4458-8430-ca249c371eb3}" } ], "repeated": 0, "id": 12384 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12385 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12386 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12387 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "43" } ], "repeated": 0, "id": 12388 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{f6c5ad57-a5be-4259-9060-b2c4ebfccd96}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f6c5ad57-a5be-4259-9060-b2c4ebfccd96}" } ], "repeated": 0, "id": 12389 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12390 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{1f7207c2-0b8c-48de-9dcd-64ff98cc24e1}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f6c5ad57-a5be-4259-9060-b2c4ebfccd96}\\{1f7207c2-0b8c-48de-9dcd-64ff98cc24e1}" } ], "repeated": 0, "id": 12391 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12392 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12393 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12394 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "44" } ], "repeated": 0, "id": 12395 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008ec" }, { "name": "ObjectAttributesName", "value": "{fd0dce36-af57-417b-9ce6-2d10633b4cf9}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{fd0dce36-af57-417b-9ce6-2d10633b4cf9}" } ], "repeated": 0, "id": 12396 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "0" } ], "repeated": 0, "id": 12397 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{7d937e49-cfd5-438f-af4f-b3047d90a5c3}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{fd0dce36-af57-417b-9ce6-2d10633b4cf9}\\{7d937e49-cfd5-438f-af4f-b3047d90a5c3}" } ], "repeated": 0, "id": 12398 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12399 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "1" } ], "repeated": 0, "id": 12400 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000008f4" }, { "name": "DesiredAccess", "value": "0x0002001f", "pretty_value": "KEY_READ|KEY_WRITE" }, { "name": "ObjectAttributesHandle", "value": "0x000008f0" }, { "name": "ObjectAttributesName", "value": "{f3e82f6e-9df4-425d-a5d5-3a9832005b16}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{fd0dce36-af57-417b-9ce6-2d10633b4cf9}\\{f3e82f6e-9df4-425d-a5d5-3a9832005b16}" } ], "repeated": 0, "id": 12401 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" } ], "repeated": 0, "id": 12402 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008f0" }, { "name": "Index", "value": "2" } ], "repeated": 0, "id": 12403 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 12404 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "NtEnumerateKey", "status": false, "return": "0xffffffff8000001a", "pretty_return": "NO_MORE_ENTRIES", "arguments": [ { "name": "KeyHandle", "value": "0x000008ec" }, { "name": "Index", "value": "45" } ], "repeated": 0, "id": 12405 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12406 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008e8" } ], "repeated": 0, "id": 12407 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 12408 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12409 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12410 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12411 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12412 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12413 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000009" } ], "repeated": 0, "id": 12414 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12415 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12416 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12417 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000009" } ], "repeated": 0, "id": 12418 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12419 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12420 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12421 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12422 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12423 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12424 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12425 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12426 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12427 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12428 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12429 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12430 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12431 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12432 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12433 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12434 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12435 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12436 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12437 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12438 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12439 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12440 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12441 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000009" } ], "repeated": 0, "id": 12442 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12443 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12444 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12445 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000009" } ], "repeated": 0, "id": 12446 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12447 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12448 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12449 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12450 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12451 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12452 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12453 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12454 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12455 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12456 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12457 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12458 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12459 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12460 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12461 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 12462 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12463 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12464 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12465 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10368", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12466 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000035c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10368" } ], "repeated": 0, "id": 12467 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10490", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10368" } ], "repeated": 0, "id": 12468 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 12469 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008e8" } ], "repeated": 0, "id": 12470 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 12471 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12472 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "lsm.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12473 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0560", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12474 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000264", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0560" } ], "repeated": 0, "id": 12475 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd0680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0560" } ], "repeated": 0, "id": 12476 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 12477 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12478 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d5000" } ], "repeated": 0, "id": 12479 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12480 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12481 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10e98", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1253" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12482 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000030e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e98" } ], "repeated": 0, "id": 12483 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c11b48", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e98" } ], "repeated": 0, "id": 12484 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 12485 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12486 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 12487 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12488 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12489 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10e78", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1251" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12490 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ae", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e78" } ], "repeated": 0, "id": 12491 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c11548", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e78" } ], "repeated": 0, "id": 12492 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 12493 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12494 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 12495 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12496 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12497 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10f58", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1265" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12498 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002fa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10f58" } ], "repeated": 0, "id": 12499 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c147b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10f58" } ], "repeated": 0, "id": 12500 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 12501 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12502 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 12503 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12504 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12505 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10fe8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1274" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12506 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000386", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10fe8" } ], "repeated": 0, "id": 12507 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c164e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10fe8" } ], "repeated": 0, "id": 12508 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 12509 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12510 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 12511 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12512 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\pacer.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12513 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c20670", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12514 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001aa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20670" } ], "repeated": 0, "id": 12515 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c2095c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20670" } ], "repeated": 0, "id": 12516 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00005000" } ], "repeated": 0, "id": 12517 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12518 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0002b000" } ], "repeated": 0, "id": 12519 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12520 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\pacer.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12521 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c206c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#68" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12522 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000049e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c206c0" } ], "repeated": 0, "id": 12523 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c21b38", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c206c0" } ], "repeated": 0, "id": 12524 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00005000" } ], "repeated": 0, "id": 12525 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12526 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0002b000" } ], "repeated": 0, "id": 12527 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12528 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12529 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c713e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#41" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12530 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000077a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c713e0" } ], "repeated": 0, "id": 12531 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c7fcd8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c713e0" } ], "repeated": 0, "id": 12532 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12533 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12534 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12535 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12536 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12537 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71410", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#44" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12538 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000005e2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71410" } ], "repeated": 0, "id": 12539 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c80ed4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71410" } ], "repeated": 0, "id": 12540 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12541 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12542 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12543 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12544 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12545 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c712f0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#26" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12546 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000004f6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712f0" } ], "repeated": 0, "id": 12547 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c7ab30", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712f0" } ], "repeated": 0, "id": 12548 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12549 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12550 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12551 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12552 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12553 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c714b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#54" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12554 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000414", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714b0" } ], "repeated": 0, "id": 12555 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c84398", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714b0" } ], "repeated": 0, "id": 12556 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12557 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12558 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12559 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12560 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12561 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71360", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#33" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12562 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000005e4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71360" } ], "repeated": 0, "id": 12563 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c7d0cc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71360" } ], "repeated": 0, "id": 12564 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12565 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12566 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12567 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12568 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12569 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71460", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#49" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12570 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000520", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71460" } ], "repeated": 0, "id": 12571 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c82988", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71460" } ], "repeated": 0, "id": 12572 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12573 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12574 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12575 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12576 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12577 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71160", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12578 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000576", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71160" } ], "repeated": 0, "id": 12579 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c71880", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71160" } ], "repeated": 0, "id": 12580 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12581 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12582 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12583 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12584 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12585 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71250", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#16" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12586 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000054e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71250" } ], "repeated": 0, "id": 12587 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c77700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71250" } ], "repeated": 0, "id": 12588 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12589 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12590 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12591 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12592 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12593 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c712a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#21" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12594 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000520", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712a0" } ], "repeated": 0, "id": 12595 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c79120", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712a0" } ], "repeated": 0, "id": 12596 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12597 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12598 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12599 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12600 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12601 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c714c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#55" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12602 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000031a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714c0" } ], "repeated": 0, "id": 12603 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c847ac", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714c0" } ], "repeated": 0, "id": 12604 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12605 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12606 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12607 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12608 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12609 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c711d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#8" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12610 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000490", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 12611 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c74064", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 12612 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12613 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12614 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12615 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12616 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12617 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c711d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#8" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12618 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000490", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 12619 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c74064", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 12620 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12621 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12622 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12623 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12624 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12625 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71720", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12626 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001d0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71720" } ], "repeated": 0, "id": 12627 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c91fe8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71720" } ], "repeated": 0, "id": 12628 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12629 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12630 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12631 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12632 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12633 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71190", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#4" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12634 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000544", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71190" } ], "repeated": 0, "id": 12635 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c729b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71190" } ], "repeated": 0, "id": 12636 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 12637 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12638 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 12639 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12640 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "pnrpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12641 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c505e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12642 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003e8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c505e0" } ], "repeated": 0, "id": 12643 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c50740", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c505e0" } ], "repeated": 0, "id": 12644 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c50000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 12645 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12646 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0005c000" } ], "repeated": 0, "id": 12647 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12648 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "AzRoles.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12649 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca04e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12650 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca04e8" } ], "repeated": 0, "id": 12651 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca05d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca04e8" } ], "repeated": 0, "id": 12652 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 12653 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12654 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000a1000" } ], "repeated": 0, "id": 12655 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12656 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fxsresm.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12657 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ce24e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12658 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002c8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce24e8" } ], "repeated": 0, "id": 12659 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cf0b90", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce24e8" } ], "repeated": 0, "id": 12660 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ce0000" }, { "name": "RegionSize", "value": "0x00029000" } ], "repeated": 0, "id": 12661 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12662 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e4000" } ], "repeated": 0, "id": 12663 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12664 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\afd.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12665 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca0540", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12666 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003a4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca0540" } ], "repeated": 0, "id": 12667 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca0650", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca0540" } ], "repeated": 0, "id": 12668 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 12669 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12670 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000a7000" } ], "repeated": 0, "id": 12671 }, { "timestamp": "2026-05-28 22:01:58,381", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12672 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\fvevol.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12673 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc05a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#3126" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12674 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002f4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc05a0" } ], "repeated": 0, "id": 12675 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc0788", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc05a0" } ], "repeated": 0, "id": 12676 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 12677 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12678 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c9000" } ], "repeated": 0, "id": 12679 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12680 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12681 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca1880", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12682 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000008c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca1880" } ], "repeated": 0, "id": 12683 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca2330", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca1880" } ], "repeated": 0, "id": 12684 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 12685 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12686 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 12687 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12688 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12689 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca18c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12690 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000088", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18c0" } ], "repeated": 0, "id": 12691 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca2650", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18c0" } ], "repeated": 0, "id": 12692 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 12693 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12694 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 12695 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12696 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12697 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca18a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#19" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12698 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000006c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18a0" } ], "repeated": 0, "id": 12699 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca24e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18a0" } ], "repeated": 0, "id": 12700 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 12701 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12702 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "687" }, { "name": "y", "value": "363" } ], "repeated": 0, "id": 12703 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 12704 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 12705 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12706 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12707 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca18e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#44" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12708 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000068", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18e0" } ], "repeated": 0, "id": 12709 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca27f8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18e0" } ], "repeated": 0, "id": 12710 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 12711 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f8" } ], "repeated": 0, "id": 12712 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 12713 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12714 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\refs.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12715 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "665" }, { "name": "y", "value": "377" } ], "repeated": 0, "id": 12716 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254df0680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12717 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000030", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254df0680" } ], "repeated": 0, "id": 12718 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254df0830", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254df0680" } ], "repeated": 0, "id": 12719 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254df0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 12720 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12721 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x001f9000" } ], "repeated": 0, "id": 12722 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12723 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\mispace.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12724 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254f006a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12725 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000b4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254f006a0" } ], "repeated": 0, "id": 12726 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254f00860", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254f006a0" } ], "repeated": 0, "id": 12727 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f00000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 12728 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12729 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0030b000" } ], "repeated": 0, "id": 12730 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12731 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbkmcl.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12732 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c0f298", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#26" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12733 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001ca", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c0f298" } ], "repeated": 0, "id": 12734 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10588", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c0f298" } ], "repeated": 0, "id": 12735 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00023000" } ], "repeated": 0, "id": 12736 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12737 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\smbdirect.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12738 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c305a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12739 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000c9a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c305a0" } ], "repeated": 0, "id": 12740 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c306e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c305a0" } ], "repeated": 0, "id": 12741 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c30000" }, { "name": "RegionSize", "value": "0x00008000" } ], "repeated": 0, "id": 12742 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12743 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00031000" } ], "repeated": 0, "id": 12744 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12745 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "cscsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12746 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cb0728", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12747 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0728" } ], "repeated": 0, "id": 12748 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cb1c40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0728" } ], "repeated": 0, "id": 12749 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cb0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 12750 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12751 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000be000" } ], "repeated": 0, "id": 12752 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12753 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "cscsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12754 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cb0738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#33" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12755 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000314", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0738" } ], "repeated": 0, "id": 12756 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cb1dfc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0738" } ], "repeated": 0, "id": 12757 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cb0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 12758 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12759 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000be000" } ], "repeated": 0, "id": 12760 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12761 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12762 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd07e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12763 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003dc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07e0" } ], "repeated": 0, "id": 12764 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd2120", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07e0" } ], "repeated": 0, "id": 12765 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 12766 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12767 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 12768 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12769 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12770 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0840", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#13" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12771 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000460", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0840" } ], "repeated": 0, "id": 12772 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd3c98", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0840" } ], "repeated": 0, "id": 12773 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 12774 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12775 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "663" }, { "name": "y", "value": "379" } ], "repeated": 0, "id": 12776 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 12777 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12778 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0890", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#18" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12779 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000302", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0890" } ], "repeated": 0, "id": 12780 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd4e28", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0890" } ], "repeated": 0, "id": 12781 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 12782 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12783 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 12784 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12785 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12786 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0860", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12787 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000368", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0860" } ], "repeated": 0, "id": 12788 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd4460", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0860" } ], "repeated": 0, "id": 12789 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 12790 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12791 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 12792 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12793 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12794 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd07b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#4" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12795 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003e2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07b0" } ], "repeated": 0, "id": 12796 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd1360", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07b0" } ], "repeated": 0, "id": 12797 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 12798 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12799 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 12800 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12801 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12802 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0780", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12803 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002de", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0780" } ], "repeated": 0, "id": 12804 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd09b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0780" } ], "repeated": 0, "id": 12805 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 12806 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12807 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 12808 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12809 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dmvsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12810 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10500", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12811 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001c4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10500" } ], "repeated": 0, "id": 12812 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c105f0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10500" } ], "repeated": 0, "id": 12813 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 12814 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12815 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00014000" } ], "repeated": 0, "id": 12816 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12817 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\bthserv.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12818 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c30670", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#69" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12819 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000b2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c30670" } ], "repeated": 0, "id": 12820 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c30a54", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c30670" } ], "repeated": 0, "id": 12821 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c30000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 12822 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12823 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00039000" } ], "repeated": 0, "id": 12824 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12825 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\bthserv.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12826 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c306f0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12827 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ec", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c306f0" } ], "repeated": 0, "id": 12828 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c319f8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c306f0" } ], "repeated": 0, "id": 12829 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c30000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 12830 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12831 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00039000" } ], "repeated": 0, "id": 12832 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12833 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12834 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12835 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12836 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12837 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12838 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12839 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12840 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12841 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12842 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12843 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12844 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12845 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12846 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12847 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12848 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10508", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12849 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003aa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10508" } ], "repeated": 0, "id": 12850 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10508" } ], "repeated": 0, "id": 12851 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0000c000" } ], "repeated": 0, "id": 12852 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12853 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 12854 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12855 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12856 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c105f8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#16" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12857 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003c8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105f8" } ], "repeated": 0, "id": 12858 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c15f78", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105f8" } ], "repeated": 0, "id": 12859 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0000c000" } ], "repeated": 0, "id": 12860 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12861 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 12862 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12863 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12864 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c105a8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#11" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12865 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003b6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105a8" } ], "repeated": 0, "id": 12866 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c14350", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105a8" } ], "repeated": 0, "id": 12867 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0000c000" } ], "repeated": 0, "id": 12868 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12869 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 12870 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12871 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\umpoext.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12872 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c20560", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12873 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 12874 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c20680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 12875 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 12876 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12877 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00030000" } ], "repeated": 0, "id": 12878 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12879 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\umpoext.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12880 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c20560", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12881 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 12882 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c20680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 12883 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 12884 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12885 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00030000" } ], "repeated": 0, "id": 12886 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12887 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\tcpip.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12888 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ee0750", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#13" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12889 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000246", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee0750" } ], "repeated": 0, "id": 12890 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ee2cc4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee0750" } ], "repeated": 0, "id": 12891 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ee0000" }, { "name": "RegionSize", "value": "0x0002a000" } ], "repeated": 0, "id": 12892 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12893 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x002ed000" } ], "repeated": 0, "id": 12894 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12895 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\tcpip.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12896 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ee06e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12897 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000012e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee06e0" } ], "repeated": 0, "id": 12898 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ee08c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee06e0" } ], "repeated": 0, "id": 12899 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ee0000" }, { "name": "RegionSize", "value": "0x0002a000" } ], "repeated": 0, "id": 12900 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12901 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x002ed000" } ], "repeated": 0, "id": 12902 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12903 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12904 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c406c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#5" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12905 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000282", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406c0" } ], "repeated": 0, "id": 12906 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c411e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406c0" } ], "repeated": 0, "id": 12907 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 12908 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12909 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 12910 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12911 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12912 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c40720", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#11" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12913 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ee", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40720" } ], "repeated": 0, "id": 12914 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c425dc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40720" } ], "repeated": 0, "id": 12915 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 12916 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12917 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 12918 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12919 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12920 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c40680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12921 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000027c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40680" } ], "repeated": 0, "id": 12922 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c40830", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40680" } ], "repeated": 0, "id": 12923 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 12924 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12925 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 12926 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12927 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12928 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c406e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12929 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 12930 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c41700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 12931 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 12932 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12933 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 12934 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12935 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12936 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c406e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12937 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 12938 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c41700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 12939 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 12940 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12941 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 12942 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12943 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\http.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12944 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d80648", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#5" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12945 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000258", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80648" } ], "repeated": 0, "id": 12946 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d81df0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80648" } ], "repeated": 0, "id": 12947 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 12948 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12949 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00188000" } ], "repeated": 0, "id": 12950 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12951 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\http.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12952 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d80618", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12953 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000034a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80618" } ], "repeated": 0, "id": 12954 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d814b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80618" } ], "repeated": 0, "id": 12955 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 12956 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12957 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00188000" } ], "repeated": 0, "id": 12958 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12959 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\http.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12960 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d80608", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12961 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000028e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80608" } ], "repeated": 0, "id": 12962 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d81228", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80608" } ], "repeated": 0, "id": 12963 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 12964 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12965 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00188000" } ], "repeated": 0, "id": 12966 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12967 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PSEvents.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12968 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c005e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12969 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000066a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c005e0" } ], "repeated": 0, "id": 12970 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c00740", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c005e0" } ], "repeated": 0, "id": 12971 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x0000e000" } ], "repeated": 0, "id": 12972 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 12973 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 12974 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12975 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12976 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12977 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 12978 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 12979 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 12980 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12981 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12982 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9168", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12983 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 12984 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9578", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 12985 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 12986 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12987 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12988 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12989 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 12990 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 12991 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 12992 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12993 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 12994 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9168", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 12995 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 12996 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9578", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 12997 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 12998 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 12999 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13000 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13001 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13002 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13003 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 13004 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13005 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "wmp.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13006 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2925560b768", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13007 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000210", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x2925560b768" } ], "repeated": 0, "id": 13008 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292556d6550", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x2925560b768" } ], "repeated": 0, "id": 13009 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00b02000" } ], "repeated": 0, "id": 13010 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13011 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "rdpcorets.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13012 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d90600", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13013 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003ca", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90600" } ], "repeated": 0, "id": 13014 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d90770", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90600" } ], "repeated": 0, "id": 13015 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d90000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13016 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13017 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00199000" } ], "repeated": 0, "id": 13018 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13019 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "rdpcorets.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13020 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d90620", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#3" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13021 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ca", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90620" } ], "repeated": 0, "id": 13022 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d91074", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90620" } ], "repeated": 0, "id": 13023 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d90000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13024 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13025 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00199000" } ], "repeated": 0, "id": 13026 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13027 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\srv2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13028 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc08c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13029 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ea", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc08c0" } ], "repeated": 0, "id": 13030 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc0b90", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc08c0" } ], "repeated": 0, "id": 13031 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00017000" } ], "repeated": 0, "id": 13032 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13033 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c7000" } ], "repeated": 0, "id": 13034 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13035 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\srv2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13036 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc09c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13037 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002c8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc09c0" } ], "repeated": 0, "id": 13038 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc452c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc09c0" } ], "repeated": 0, "id": 13039 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00017000" } ], "repeated": 0, "id": 13040 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13041 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c7000" } ], "repeated": 0, "id": 13042 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13043 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\srv2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13044 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc0a80", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13045 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001da", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc0a80" } ], "repeated": 0, "id": 13046 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc7034", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc0a80" } ], "repeated": 0, "id": 13047 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00017000" } ], "repeated": 0, "id": 13048 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13049 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c7000" } ], "repeated": 0, "id": 13050 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13051 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "NetLogon.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13052 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd05b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13053 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000036e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd05b8" } ], "repeated": 0, "id": 13054 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd1040", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd05b8" } ], "repeated": 0, "id": 13055 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13056 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13057 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000dd000" } ], "repeated": 0, "id": 13058 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13059 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\usbxhci.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13060 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c905c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13061 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000029a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905c0" } ], "repeated": 0, "id": 13062 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c90710", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905c0" } ], "repeated": 0, "id": 13063 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13064 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13065 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0009e000" } ], "repeated": 0, "id": 13066 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13067 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\usbxhci.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13068 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c905e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13069 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000214", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905e0" } ], "repeated": 0, "id": 13070 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c90c08", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905e0" } ], "repeated": 0, "id": 13071 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13072 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13073 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0009e000" } ], "repeated": 0, "id": 13074 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13075 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\usbxhci.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13076 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c90610", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#13" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13077 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001aa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90610" } ], "repeated": 0, "id": 13078 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c91178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90610" } ], "repeated": 0, "id": 13079 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13080 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13081 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0009e000" } ], "repeated": 0, "id": 13082 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13083 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "drt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13084 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c405c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13085 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000474", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c405c0" } ], "repeated": 0, "id": 13086 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c40710", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c405c0" } ], "repeated": 0, "id": 13087 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13088 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13089 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0004a000" } ], "repeated": 0, "id": 13090 }, { "timestamp": "2026-05-28 22:01:58,396", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13091 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13092 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d609d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#55" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13093 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000224", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609d0" } ], "repeated": 0, "id": 13094 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d66798", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609d0" } ], "repeated": 0, "id": 13095 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13096 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13097 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13098 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13099 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13100 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d609a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#52" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13101 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000045c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609a0" } ], "repeated": 0, "id": 13102 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d65ebc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609a0" } ], "repeated": 0, "id": 13103 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13104 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13105 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13106 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13107 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13108 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60990", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#51" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13109 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000083e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60990" } ], "repeated": 0, "id": 13110 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d6567c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60990" } ], "repeated": 0, "id": 13111 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13112 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13113 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13114 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13115 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13116 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60880", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13117 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000005ce", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60880" } ], "repeated": 0, "id": 13118 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d60b30", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60880" } ], "repeated": 0, "id": 13119 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13120 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13121 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13122 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13123 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13124 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d608c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#5" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13125 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000712", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d608c0" } ], "repeated": 0, "id": 13126 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d6241c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d608c0" } ], "repeated": 0, "id": 13127 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13128 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13129 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13130 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13131 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13132 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60a40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#62" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13133 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000033a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60a40" } ], "repeated": 0, "id": 13134 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d6734c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60a40" } ], "repeated": 0, "id": 13135 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13136 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13137 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13138 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13139 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13140 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d609b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#53" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13141 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000272", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609b0" } ], "repeated": 0, "id": 13142 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d66318", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609b0" } ], "repeated": 0, "id": 13143 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13144 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13145 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13146 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13147 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13148 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#19" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13149 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000122", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60940" } ], "repeated": 0, "id": 13150 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d64c08", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60940" } ], "repeated": 0, "id": 13151 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13152 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13153 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13154 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13155 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13156 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d609f0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#57" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13157 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000056", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609f0" } ], "repeated": 0, "id": 13158 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d66b68", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609f0" } ], "repeated": 0, "id": 13159 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13160 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13161 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13162 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13163 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13164 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00b28", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#31" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13165 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003c0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b28" } ], "repeated": 0, "id": 13166 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c0e47c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b28" } ], "repeated": 0, "id": 13167 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13168 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13169 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13170 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13171 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13172 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00a58", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#18" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13173 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000004f2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a58" } ], "repeated": 0, "id": 13174 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c09e6c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a58" } ], "repeated": 0, "id": 13175 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13176 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13177 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13178 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13179 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13180 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00948", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13181 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00001888", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00948" } ], "repeated": 0, "id": 13182 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c00c60", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00948" } ], "repeated": 0, "id": 13183 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13184 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13185 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13186 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13187 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13188 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00b38", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13189 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003d6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b38" } ], "repeated": 0, "id": 13190 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c0e83c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b38" } ], "repeated": 0, "id": 13191 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13192 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13193 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13194 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13195 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13196 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00a48", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#17" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13197 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000006f6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a48" } ], "repeated": 0, "id": 13198 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c09774", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a48" } ], "repeated": 0, "id": 13199 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13200 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13201 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13202 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13203 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13204 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00998", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#6" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13205 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000594", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00998" } ], "repeated": 0, "id": 13206 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c05d7c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00998" } ], "repeated": 0, "id": 13207 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13208 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13209 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13210 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13211 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13212 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00a78", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#20" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13213 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000006ba", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a78" } ], "repeated": 0, "id": 13214 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c0a95c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a78" } ], "repeated": 0, "id": 13215 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13216 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13217 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13218 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13219 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\w32time.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13220 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c80580", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13221 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000d5e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c80580" } ], "repeated": 0, "id": 13222 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c806b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c80580" } ], "repeated": 0, "id": 13223 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c80000" }, { "name": "RegionSize", "value": "0x0000e000" } ], "repeated": 0, "id": 13224 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13225 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00086000" } ], "repeated": 0, "id": 13226 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13227 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\mrxsmb.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13228 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c90620", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13229 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000218", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90620" } ], "repeated": 0, "id": 13230 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c907a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90620" } ], "repeated": 0, "id": 13231 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 13232 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13233 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00094000" } ], "repeated": 0, "id": 13234 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13235 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\appvetwclientres.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13236 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254bf2138", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13237 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000222", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254bf2138" } ], "repeated": 0, "id": 13238 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c12178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254bf2138" } ], "repeated": 0, "id": 13239 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00023000" } ], "repeated": 0, "id": 13240 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13241 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\tcpip.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13242 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ee07a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13243 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000364", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee07a0" } ], "repeated": 0, "id": 13244 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ee3cc4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee07a0" } ], "repeated": 0, "id": 13245 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ee0000" }, { "name": "RegionSize", "value": "0x0002a000" } ], "repeated": 0, "id": 13246 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13247 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x002ed000" } ], "repeated": 0, "id": 13248 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13249 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wevtsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13250 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254dd0540", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13251 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000122", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254dd0540" } ], "repeated": 0, "id": 13252 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254dd0650", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254dd0540" } ], "repeated": 0, "id": 13253 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254dd0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13254 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13255 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x001d3000" } ], "repeated": 0, "id": 13256 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13257 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "PeerDistSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13258 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254de05c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13259 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000036a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254de05c0" } ], "repeated": 0, "id": 13260 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254de0710", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254de05c0" } ], "repeated": 0, "id": 13261 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254de0000" }, { "name": "RegionSize", "value": "0x00008000" } ], "repeated": 0, "id": 13262 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13263 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x001e7000" } ], "repeated": 0, "id": 13264 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13265 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "WsmRes.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13266 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10520", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13267 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003cc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10520" } ], "repeated": 0, "id": 13268 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10620", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10520" } ], "repeated": 0, "id": 13269 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0005a000" } ], "repeated": 0, "id": 13270 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13271 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13272 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13273 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "vid.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13274 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c114c8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1877" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13275 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000ee", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c114c8" } ], "repeated": 0, "id": 13276 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c11da0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c114c8" } ], "repeated": 0, "id": 13277 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 13278 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13279 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001b000" } ], "repeated": 0, "id": 13280 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13281 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\mprddm.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13282 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ce0590", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 13283 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000022a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce0590" } ], "repeated": 0, "id": 13284 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ce07e4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce0590" } ], "repeated": 0, "id": 13285 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ce0000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 13286 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13287 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e6000" } ], "repeated": 0, "id": 13288 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 13289 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13290 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13291 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 13292 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13293 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13294 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13295 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 13296 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13297 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13298 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13299 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 13300 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13301 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Drivers\\Synth3dVsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13302 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13303 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 13304 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13305 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13306 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10368", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13307 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000035c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10368" } ], "repeated": 0, "id": 13308 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10490", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10368" } ], "repeated": 0, "id": 13309 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 13310 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13311 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 13312 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13313 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "lsm.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13314 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0560", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13315 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000264", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0560" } ], "repeated": 0, "id": 13316 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd0680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0560" } ], "repeated": 0, "id": 13317 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13318 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13319 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d5000" } ], "repeated": 0, "id": 13320 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13321 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13322 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10e98", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1253" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13323 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000030e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e98" } ], "repeated": 0, "id": 13324 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c11b48", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e98" } ], "repeated": 0, "id": 13325 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 13326 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13327 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 13328 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13329 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13330 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10e78", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1251" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13331 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ae", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e78" } ], "repeated": 0, "id": 13332 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c11548", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10e78" } ], "repeated": 0, "id": 13333 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 13334 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13335 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 13336 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13337 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13338 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10f58", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1265" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13339 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002fa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10f58" } ], "repeated": 0, "id": 13340 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c147b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10f58" } ], "repeated": 0, "id": 13341 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 13342 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13343 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 13344 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13345 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "HvHostSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13346 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10fe8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1274" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13347 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000386", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10fe8" } ], "repeated": 0, "id": 13348 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c164e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10fe8" } ], "repeated": 0, "id": 13349 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00016000" } ], "repeated": 0, "id": 13350 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13351 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 13352 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13353 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\pacer.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13354 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c20670", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13355 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001aa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20670" } ], "repeated": 0, "id": 13356 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c2095c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20670" } ], "repeated": 0, "id": 13357 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00005000" } ], "repeated": 0, "id": 13358 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13359 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0002b000" } ], "repeated": 0, "id": 13360 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13361 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\pacer.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13362 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c206c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#68" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13363 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000049e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c206c0" } ], "repeated": 0, "id": 13364 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c21b38", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c206c0" } ], "repeated": 0, "id": 13365 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00005000" } ], "repeated": 0, "id": 13366 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13367 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0002b000" } ], "repeated": 0, "id": 13368 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13369 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13370 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c713e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#41" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13371 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000077a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c713e0" } ], "repeated": 0, "id": 13372 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c7fcd8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c713e0" } ], "repeated": 0, "id": 13373 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13374 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13375 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13376 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13377 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13378 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71410", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#44" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13379 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000005e2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71410" } ], "repeated": 0, "id": 13380 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c80ed4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71410" } ], "repeated": 0, "id": 13381 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13382 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13383 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13384 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13385 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13386 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c712f0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#26" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13387 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000004f6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712f0" } ], "repeated": 0, "id": 13388 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c7ab30", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712f0" } ], "repeated": 0, "id": 13389 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13390 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13391 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13392 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13393 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13394 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c714b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#54" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13395 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000414", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714b0" } ], "repeated": 0, "id": 13396 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c84398", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714b0" } ], "repeated": 0, "id": 13397 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13398 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13399 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13400 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13401 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13402 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71360", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#33" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13403 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000005e4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71360" } ], "repeated": 0, "id": 13404 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c7d0cc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71360" } ], "repeated": 0, "id": 13405 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13406 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13407 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13408 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13409 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13410 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71460", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#49" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13411 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000520", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71460" } ], "repeated": 0, "id": 13412 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c82988", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71460" } ], "repeated": 0, "id": 13413 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13414 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13415 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13416 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13417 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13418 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71160", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13419 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000576", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71160" } ], "repeated": 0, "id": 13420 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c71880", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71160" } ], "repeated": 0, "id": 13421 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13422 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13423 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13424 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13425 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13426 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71250", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#16" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13427 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000054e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71250" } ], "repeated": 0, "id": 13428 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c77700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71250" } ], "repeated": 0, "id": 13429 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13430 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13431 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13432 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13433 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13434 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c712a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#21" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13435 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000520", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712a0" } ], "repeated": 0, "id": 13436 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c79120", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c712a0" } ], "repeated": 0, "id": 13437 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13438 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13439 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13440 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13441 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13442 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c714c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#55" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13443 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000031a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714c0" } ], "repeated": 0, "id": 13444 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c847ac", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c714c0" } ], "repeated": 0, "id": 13445 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13446 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13447 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13448 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13449 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13450 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c711d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#8" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13451 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000490", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 13452 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c74064", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 13453 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13454 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13455 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13456 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13457 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13458 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c711d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#8" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13459 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000490", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 13460 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c74064", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c711d0" } ], "repeated": 0, "id": 13461 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13462 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13463 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13464 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13465 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13466 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71720", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13467 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001d0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71720" } ], "repeated": 0, "id": 13468 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c91fe8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71720" } ], "repeated": 0, "id": 13469 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13470 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13471 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13472 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13473 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fwpuclnt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13474 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c71190", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#4" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13475 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000544", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71190" } ], "repeated": 0, "id": 13476 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c729b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c71190" } ], "repeated": 0, "id": 13477 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c70000" }, { "name": "RegionSize", "value": "0x00025000" } ], "repeated": 0, "id": 13478 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13479 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00080000" } ], "repeated": 0, "id": 13480 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13481 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "pnrpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13482 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c505e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13483 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003e8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c505e0" } ], "repeated": 0, "id": 13484 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c50740", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c505e0" } ], "repeated": 0, "id": 13485 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c50000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13486 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13487 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0005c000" } ], "repeated": 0, "id": 13488 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13489 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "AzRoles.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13490 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca04e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13491 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca04e8" } ], "repeated": 0, "id": 13492 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca05d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca04e8" } ], "repeated": 0, "id": 13493 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 13494 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13495 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000a1000" } ], "repeated": 0, "id": 13496 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13497 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "fxsresm.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13498 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ce24e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13499 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002c8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce24e8" } ], "repeated": 0, "id": 13500 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cf0b90", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce24e8" } ], "repeated": 0, "id": 13501 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ce0000" }, { "name": "RegionSize", "value": "0x00029000" } ], "repeated": 0, "id": 13502 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13503 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e4000" } ], "repeated": 0, "id": 13504 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13505 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\afd.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13506 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca0540", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13507 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003a4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca0540" } ], "repeated": 0, "id": 13508 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca0650", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca0540" } ], "repeated": 0, "id": 13509 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 13510 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13511 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000a7000" } ], "repeated": 0, "id": 13512 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13513 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\fvevol.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13514 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc05a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#3126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13515 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002f4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc05a0" } ], "repeated": 0, "id": 13516 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc0788", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc05a0" } ], "repeated": 0, "id": 13517 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 13518 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13519 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c9000" } ], "repeated": 0, "id": 13520 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13521 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13522 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca1880", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13523 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000008c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca1880" } ], "repeated": 0, "id": 13524 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca2330", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca1880" } ], "repeated": 0, "id": 13525 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 13526 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13527 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 13528 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13529 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13530 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca18c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13531 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000088", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18c0" } ], "repeated": 0, "id": 13532 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca2650", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18c0" } ], "repeated": 0, "id": 13533 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 13534 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13535 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 13536 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13537 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13538 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca18a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#19" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13539 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000006c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18a0" } ], "repeated": 0, "id": 13540 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca24e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18a0" } ], "repeated": 0, "id": 13541 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 13542 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13543 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 13544 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13545 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\spaceport.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13546 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ca18e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#44" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13547 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000068", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18e0" } ], "repeated": 0, "id": 13548 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ca27f8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ca18e0" } ], "repeated": 0, "id": 13549 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ca0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 13550 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13551 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000ab000" } ], "repeated": 0, "id": 13552 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13553 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\refs.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13554 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254df0680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13555 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000030", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254df0680" } ], "repeated": 0, "id": 13556 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254df0830", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254df0680" } ], "repeated": 0, "id": 13557 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254df0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 13558 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13559 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x001f9000" } ], "repeated": 0, "id": 13560 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13561 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\mispace.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13562 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254f006a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13563 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000b4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254f006a0" } ], "repeated": 0, "id": 13564 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254f00860", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254f006a0" } ], "repeated": 0, "id": 13565 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f00000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 13566 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13567 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0030b000" } ], "repeated": 0, "id": 13568 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13569 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbkmcl.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13570 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c0f298", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#26" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13571 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001ca", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c0f298" } ], "repeated": 0, "id": 13572 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10588", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c0f298" } ], "repeated": 0, "id": 13573 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00023000" } ], "repeated": 0, "id": 13574 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13575 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\smbdirect.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13576 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c305a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13577 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000c9a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c305a0" } ], "repeated": 0, "id": 13578 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c306e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c305a0" } ], "repeated": 0, "id": 13579 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c30000" }, { "name": "RegionSize", "value": "0x00008000" } ], "repeated": 0, "id": 13580 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008ec" } ], "repeated": 0, "id": 13581 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00031000" } ], "repeated": 0, "id": 13582 }, { "timestamp": "2026-05-28 22:01:58,412", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13583 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "cscsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13584 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cb0728", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13585 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0728" } ], "repeated": 0, "id": 13586 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cb1c40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0728" } ], "repeated": 0, "id": 13587 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cb0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 13588 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13589 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000be000" } ], "repeated": 0, "id": 13590 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13591 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "cscsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13592 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cb0738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#33" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13593 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000314", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0738" } ], "repeated": 0, "id": 13594 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cb1dfc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cb0738" } ], "repeated": 0, "id": 13595 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cb0000" }, { "name": "RegionSize", "value": "0x00006000" } ], "repeated": 0, "id": 13596 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13597 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000be000" } ], "repeated": 0, "id": 13598 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13599 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13600 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd07e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13601 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003dc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07e0" } ], "repeated": 0, "id": 13602 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd2120", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07e0" } ], "repeated": 0, "id": 13603 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 13604 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13605 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 13606 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13607 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13608 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0840", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#13" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13609 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000460", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0840" } ], "repeated": 0, "id": 13610 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd3c98", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0840" } ], "repeated": 0, "id": 13611 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 13612 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13613 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 13614 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13615 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13616 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0890", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#18" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13617 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000302", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0890" } ], "repeated": 0, "id": 13618 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd4e28", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0890" } ], "repeated": 0, "id": 13619 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 13620 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13621 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 13622 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13623 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13624 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0860", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13625 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000368", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0860" } ], "repeated": 0, "id": 13626 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd4460", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0860" } ], "repeated": 0, "id": 13627 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 13628 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13629 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 13630 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13631 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13632 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd07b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#4" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13633 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003e2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07b0" } ], "repeated": 0, "id": 13634 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd1360", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd07b0" } ], "repeated": 0, "id": 13635 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 13636 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13637 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 13638 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13639 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\iphlpsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13640 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd0780", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13641 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002de", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0780" } ], "repeated": 0, "id": 13642 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd09b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd0780" } ], "repeated": 0, "id": 13643 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x0000d000" } ], "repeated": 0, "id": 13644 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13645 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000d4000" } ], "repeated": 0, "id": 13646 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13647 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dmvsc.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13648 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10500", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13649 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001c4", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10500" } ], "repeated": 0, "id": 13650 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c105f0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10500" } ], "repeated": 0, "id": 13651 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 13652 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13653 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00014000" } ], "repeated": 0, "id": 13654 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13655 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\bthserv.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13656 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c30670", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#69" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13657 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000b2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c30670" } ], "repeated": 0, "id": 13658 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c30a54", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c30670" } ], "repeated": 0, "id": 13659 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c30000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13660 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13661 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00039000" } ], "repeated": 0, "id": 13662 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13663 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\bthserv.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13664 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c306f0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13665 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ec", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c306f0" } ], "repeated": 0, "id": 13666 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c319f8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c306f0" } ], "repeated": 0, "id": 13667 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c30000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13668 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13669 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00039000" } ], "repeated": 0, "id": 13670 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13671 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13672 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13673 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\vmbusr.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13674 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13675 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13676 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10508", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13677 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003aa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10508" } ], "repeated": 0, "id": 13678 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10508" } ], "repeated": 0, "id": 13679 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0000c000" } ], "repeated": 0, "id": 13680 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13681 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 13682 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13683 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13684 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c105f8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#16" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13685 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003c8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105f8" } ], "repeated": 0, "id": 13686 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c15f78", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105f8" } ], "repeated": 0, "id": 13687 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0000c000" } ], "repeated": 0, "id": 13688 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13689 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 13690 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13691 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13692 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c105a8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#11" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13693 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003b6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105a8" } ], "repeated": 0, "id": 13694 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c14350", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c105a8" } ], "repeated": 0, "id": 13695 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0000c000" } ], "repeated": 0, "id": 13696 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13697 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 13698 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13699 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\umpoext.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13700 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c20560", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13701 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 13702 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c20680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 13703 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 13704 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13705 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00030000" } ], "repeated": 0, "id": 13706 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13707 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\umpoext.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13708 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c20560", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13709 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 13710 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c20680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c20560" } ], "repeated": 0, "id": 13711 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c20000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 13712 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13713 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00030000" } ], "repeated": 0, "id": 13714 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13715 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\tcpip.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13716 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ee0750", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#13" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13717 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000246", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee0750" } ], "repeated": 0, "id": 13718 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ee2cc4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee0750" } ], "repeated": 0, "id": 13719 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ee0000" }, { "name": "RegionSize", "value": "0x0002a000" } ], "repeated": 0, "id": 13720 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13721 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x002ed000" } ], "repeated": 0, "id": 13722 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13723 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\tcpip.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13724 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ee06e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13725 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000012e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee06e0" } ], "repeated": 0, "id": 13726 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ee08c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee06e0" } ], "repeated": 0, "id": 13727 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ee0000" }, { "name": "RegionSize", "value": "0x0002a000" } ], "repeated": 0, "id": 13728 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13729 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x002ed000" } ], "repeated": 0, "id": 13730 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13731 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13732 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c406c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#5" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13733 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000282", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406c0" } ], "repeated": 0, "id": 13734 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c411e8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406c0" } ], "repeated": 0, "id": 13735 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13736 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13737 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 13738 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13739 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13740 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c40720", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#11" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13741 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ee", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40720" } ], "repeated": 0, "id": 13742 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c425dc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40720" } ], "repeated": 0, "id": 13743 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13744 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13745 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 13746 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13747 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13748 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c40680", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13749 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000027c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40680" } ], "repeated": 0, "id": 13750 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c40830", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c40680" } ], "repeated": 0, "id": 13751 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13752 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13753 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 13754 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13755 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13756 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c406e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13757 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 13758 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c41700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 13759 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13760 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13761 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 13762 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13763 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\winnat.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13764 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c406e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13765 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002e0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 13766 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c41700", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c406e0" } ], "repeated": 0, "id": 13767 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13768 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13769 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00048000" } ], "repeated": 0, "id": 13770 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13771 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\http.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13772 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d80648", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#5" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13773 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000258", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80648" } ], "repeated": 0, "id": 13774 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d81df0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80648" } ], "repeated": 0, "id": 13775 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 13776 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13777 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00188000" } ], "repeated": 0, "id": 13778 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13779 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\http.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13780 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d80618", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13781 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000034a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80618" } ], "repeated": 0, "id": 13782 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d814b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80618" } ], "repeated": 0, "id": 13783 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 13784 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13785 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00188000" } ], "repeated": 0, "id": 13786 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13787 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\http.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13788 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d80608", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13789 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000028e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80608" } ], "repeated": 0, "id": 13790 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d81228", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d80608" } ], "repeated": 0, "id": 13791 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d80000" }, { "name": "RegionSize", "value": "0x0000b000" } ], "repeated": 0, "id": 13792 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13793 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00188000" } ], "repeated": 0, "id": 13794 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13795 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PSEvents.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13796 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c005e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13797 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000066a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c005e0" } ], "repeated": 0, "id": 13798 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c00740", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c005e0" } ], "repeated": 0, "id": 13799 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x0000e000" } ], "repeated": 0, "id": 13800 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13801 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 13802 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13803 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13804 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13805 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13806 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13807 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 13808 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13809 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13810 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9168", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13811 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 13812 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9578", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 13813 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 13814 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13815 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13816 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13817 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13818 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13819 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 13820 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13821 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13822 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9168", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13823 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 13824 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9578", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9168" } ], "repeated": 0, "id": 13825 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 13826 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13827 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13828 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc9178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13829 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13830 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc9738", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc9178" } ], "repeated": 0, "id": 13831 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 13832 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13833 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "wmp.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13834 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2925560b768", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13835 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000210", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x2925560b768" } ], "repeated": 0, "id": 13836 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292556d6550", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x2925560b768" } ], "repeated": 0, "id": 13837 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00b02000" } ], "repeated": 0, "id": 13838 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13839 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "rdpcorets.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13840 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d90600", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13841 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003ca", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90600" } ], "repeated": 0, "id": 13842 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d90770", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90600" } ], "repeated": 0, "id": 13843 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d90000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13844 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13845 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00199000" } ], "repeated": 0, "id": 13846 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13847 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "rdpcorets.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13848 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d90620", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#3" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13849 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ca", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90620" } ], "repeated": 0, "id": 13850 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d91074", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d90620" } ], "repeated": 0, "id": 13851 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d90000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 13852 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13853 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00199000" } ], "repeated": 0, "id": 13854 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13855 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\srv2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13856 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc08c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13857 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002ea", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc08c0" } ], "repeated": 0, "id": 13858 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc0b90", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc08c0" } ], "repeated": 0, "id": 13859 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00017000" } ], "repeated": 0, "id": 13860 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13861 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c7000" } ], "repeated": 0, "id": 13862 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13863 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\srv2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13864 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc09c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13865 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000002c8", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc09c0" } ], "repeated": 0, "id": 13866 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc452c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc09c0" } ], "repeated": 0, "id": 13867 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00017000" } ], "repeated": 0, "id": 13868 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13869 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c7000" } ], "repeated": 0, "id": 13870 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13871 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\srv2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13872 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cc0a80", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#188" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13873 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001da", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc0a80" } ], "repeated": 0, "id": 13874 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cc7034", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cc0a80" } ], "repeated": 0, "id": 13875 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cc0000" }, { "name": "RegionSize", "value": "0x00017000" } ], "repeated": 0, "id": 13876 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13877 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000c7000" } ], "repeated": 0, "id": 13878 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13879 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "NetLogon.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13880 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254cd05b8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13881 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000036e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd05b8" } ], "repeated": 0, "id": 13882 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254cd1040", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254cd05b8" } ], "repeated": 0, "id": 13883 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cd0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13884 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13885 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000dd000" } ], "repeated": 0, "id": 13886 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13887 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\usbxhci.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13888 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c905c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13889 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000029a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905c0" } ], "repeated": 0, "id": 13890 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c90710", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905c0" } ], "repeated": 0, "id": 13891 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13892 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13893 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0009e000" } ], "repeated": 0, "id": 13894 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13895 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\usbxhci.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13896 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c905e0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13897 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000214", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905e0" } ], "repeated": 0, "id": 13898 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c90c08", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c905e0" } ], "repeated": 0, "id": 13899 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13900 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13901 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0009e000" } ], "repeated": 0, "id": 13902 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13903 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\usbxhci.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13904 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c90610", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#13" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13905 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001aa", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90610" } ], "repeated": 0, "id": 13906 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c91178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90610" } ], "repeated": 0, "id": 13907 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 13908 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13909 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0009e000" } ], "repeated": 0, "id": 13910 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13911 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "drt.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13912 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c405c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13913 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000474", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c405c0" } ], "repeated": 0, "id": 13914 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c40710", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c405c0" } ], "repeated": 0, "id": 13915 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c40000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13916 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13917 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0004a000" } ], "repeated": 0, "id": 13918 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13919 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13920 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d609d0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#55" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13921 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000224", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609d0" } ], "repeated": 0, "id": 13922 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d66798", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609d0" } ], "repeated": 0, "id": 13923 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13924 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13925 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13926 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13927 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13928 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d609a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#52" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13929 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000045c", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609a0" } ], "repeated": 0, "id": 13930 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d65ebc", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609a0" } ], "repeated": 0, "id": 13931 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13932 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13933 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13934 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13935 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13936 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60990", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#51" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13937 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000083e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60990" } ], "repeated": 0, "id": 13938 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d6567c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60990" } ], "repeated": 0, "id": 13939 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13940 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13941 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13942 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13943 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13944 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60880", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13945 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000005ce", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60880" } ], "repeated": 0, "id": 13946 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d60b30", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60880" } ], "repeated": 0, "id": 13947 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13948 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13949 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13950 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13951 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13952 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d608c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#5" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13953 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000712", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d608c0" } ], "repeated": 0, "id": 13954 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d6241c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d608c0" } ], "repeated": 0, "id": 13955 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13956 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13957 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13958 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13959 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13960 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60a40", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#62" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13961 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000033a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60a40" } ], "repeated": 0, "id": 13962 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d6734c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60a40" } ], "repeated": 0, "id": 13963 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13964 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13965 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13966 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13967 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13968 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d609b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#53" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13969 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000272", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609b0" } ], "repeated": 0, "id": 13970 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d66318", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d609b0" } ], "repeated": 0, "id": 13971 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13972 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13973 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13974 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13975 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13976 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60940", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#19" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13977 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000122", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60940" } ], "repeated": 0, "id": 13978 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d64c08", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60940" } ], "repeated": 0, "id": 13979 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13980 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13981 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13982 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13983 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\ndis.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13984 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254d60a00", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#58" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13985 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000ee", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60a00" } ], "repeated": 0, "id": 13986 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254d66bc0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254d60a00" } ], "repeated": 0, "id": 13987 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d60000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13988 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13989 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0016f000" } ], "repeated": 0, "id": 13990 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13991 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 13992 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00b28", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#31" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 13993 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003c0", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b28" } ], "repeated": 0, "id": 13994 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c0e47c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b28" } ], "repeated": 0, "id": 13995 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 13996 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 13997 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 13998 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 13999 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14000 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "647" }, { "name": "y", "value": "390" } ], "repeated": 0, "id": 14001 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00a58", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#18" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14002 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000004f2", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a58" } ], "repeated": 0, "id": 14003 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c09e6c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a58" } ], "repeated": 0, "id": 14004 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 14005 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14006 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 14007 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14008 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14009 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00948", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14010 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00001888", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00948" } ], "repeated": 0, "id": 14011 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c00c60", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00948" } ], "repeated": 0, "id": 14012 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 14013 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14014 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 14015 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14016 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 14017 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14018 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00b38", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#32" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14019 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003d6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b38" } ], "repeated": 0, "id": 14020 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c0e83c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00b38" } ], "repeated": 0, "id": 14021 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 14022 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14023 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 14024 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14025 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14026 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00a48", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#17" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14027 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000006f6", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a48" } ], "repeated": 0, "id": 14028 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c09774", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a48" } ], "repeated": 0, "id": 14029 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 14030 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14031 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 14032 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14033 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "646" }, { "name": "y", "value": "391" } ], "repeated": 0, "id": 14034 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14035 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 14036 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00998", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#6" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14037 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000594", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00998" } ], "repeated": 0, "id": 14038 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c05d7c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00998" } ], "repeated": 0, "id": 14039 }, { "timestamp": "2026-05-28 22:01:58,428", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 14040 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14041 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 14042 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14043 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\advapi32res.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14044 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c00a78", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#20" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14045 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000006ba", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a78" } ], "repeated": 0, "id": 14046 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c0a95c", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c00a78" } ], "repeated": 0, "id": 14047 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c00000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 14048 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14049 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 14050 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14051 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\w32time.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14052 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c80580", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14053 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000d5e", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c80580" } ], "repeated": 0, "id": 14054 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c806b0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c80580" } ], "repeated": 0, "id": 14055 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c80000" }, { "name": "RegionSize", "value": "0x0000e000" } ], "repeated": 0, "id": 14056 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14057 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00086000" } ], "repeated": 0, "id": 14058 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14059 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\mrxsmb.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14060 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c90620", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14061 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000218", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90620" } ], "repeated": 0, "id": 14062 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c907a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c90620" } ], "repeated": 0, "id": 14063 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c90000" }, { "name": "RegionSize", "value": "0x00013000" } ], "repeated": 0, "id": 14064 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14065 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00094000" } ], "repeated": 0, "id": 14066 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14067 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\appvetwclientres.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14068 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254bf2138", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14069 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000222", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254bf2138" } ], "repeated": 0, "id": 14070 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c12178", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254bf2138" } ], "repeated": 0, "id": 14071 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00023000" } ], "repeated": 0, "id": 14072 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14073 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\tcpip.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14074 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ee07a0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#126" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14075 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000364", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee07a0" } ], "repeated": 0, "id": 14076 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ee3cc4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ee07a0" } ], "repeated": 0, "id": 14077 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ee0000" }, { "name": "RegionSize", "value": "0x0002a000" } ], "repeated": 0, "id": 14078 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14079 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x002ed000" } ], "repeated": 0, "id": 14080 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14081 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wevtsvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14082 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254dd0540", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14083 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000122", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254dd0540" } ], "repeated": 0, "id": 14084 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254dd0650", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254dd0540" } ], "repeated": 0, "id": 14085 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254dd0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 14086 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14087 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x001d3000" } ], "repeated": 0, "id": 14088 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14089 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "PeerDistSvc.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14090 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254de05c0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14091 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000036a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254de05c0" } ], "repeated": 0, "id": 14092 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254de0710", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254de05c0" } ], "repeated": 0, "id": 14093 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254de0000" }, { "name": "RegionSize", "value": "0x00008000" } ], "repeated": 0, "id": 14094 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14095 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x001e7000" } ], "repeated": 0, "id": 14096 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14097 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "WsmRes.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14098 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c10520", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14099 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000003cc", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10520" } ], "repeated": 0, "id": 14100 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c10620", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c10520" } ], "repeated": 0, "id": 14101 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0005a000" } ], "repeated": 0, "id": 14102 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14103 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x00011000" } ], "repeated": 0, "id": 14104 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14105 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "vid.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14106 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254c114c8", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#1877" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14107 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000ee", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c114c8" } ], "repeated": 0, "id": 14108 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254c11da0", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254c114c8" } ], "repeated": 0, "id": 14109 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c10000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 14110 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14111 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x0001b000" } ], "repeated": 0, "id": 14112 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14113 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29254bf0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\mprddm.dll" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14114 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29254ce0590", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#7" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 14115 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000022a", "arguments": [ { "name": "ModuleHandle", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce0590" } ], "repeated": 0, "id": 14116 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29254ce07e4", "arguments": [ { "name": "Module", "value": "0x29254bf0002" }, { "name": "ResourceInfo", "value": "0x29254ce0590" } ], "repeated": 0, "id": 14117 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ce0000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 14118 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14119 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf0000" }, { "name": "RegionSize", "value": "0x000e6000" } ], "repeated": 0, "id": 14120 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib" }, { "name": "Handle", "value": "0x000008f0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib" } ], "repeated": 0, "id": 14121 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" }, { "name": "ValueName", "value": "Last Help" }, { "name": "Data", "value": "9885" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Help" } ], "repeated": 0, "id": 14122 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" }, { "name": "ValueName", "value": "Last Counter" }, { "name": "Data", "value": "9884" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Counter" } ], "repeated": 0, "id": 14123 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" }, { "name": "ValueName", "value": "Version" }, { "name": "Data", "value": "65537" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Version" } ], "repeated": 0, "id": 14124 }, { "timestamp": "2026-05-28 22:01:58,443", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14125 }, { "timestamp": "2026-05-28 22:01:58,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "644" }, { "name": "y", "value": "392" } ], "repeated": 0, "id": 14126 }, { "timestamp": "2026-05-28 22:01:58,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "638" }, { "name": "y", "value": "401" } ], "repeated": 0, "id": 14127 }, { "timestamp": "2026-05-28 22:01:58,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 14128 }, { "timestamp": "2026-05-28 22:01:58,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "637" }, { "name": "y", "value": "401" } ], "repeated": 0, "id": 14129 }, { "timestamp": "2026-05-28 22:01:58,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 14130 }, { "timestamp": "2026-05-28 22:01:58,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "637" }, { "name": "y", "value": "402" } ], "repeated": 0, "id": 14131 }, { "timestamp": "2026-05-28 22:01:58,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 14132 }, { "timestamp": "2026-05-28 22:01:58,490", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000004" }, { "name": "ValueName", "value": "Counter 0409" }, { "name": "FullName", "value": "HKEY_PERFORMANCE_DATA\\Counter 0409" } ], "repeated": 0, "id": 14133 }, { "timestamp": "2026-05-28 22:01:58,490", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14134 }, { "timestamp": "2026-05-28 22:01:58,490", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000004" }, { "name": "ValueName", "value": "Counter 009" }, { "name": "FullName", "value": "HKEY_PERFORMANCE_DATA\\Counter 009" } ], "repeated": 0, "id": 14135 }, { "timestamp": "2026-05-28 22:01:58,490", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14136 }, { "timestamp": "2026-05-28 22:01:58,490", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000004" }, { "name": "ValueName", "value": "Counter 0409" }, { "name": "FullName", "value": "HKEY_PERFORMANCE_DATA\\Counter 0409" } ], "repeated": 0, "id": 14137 }, { "timestamp": "2026-05-28 22:01:58,490", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14138 }, { "timestamp": "2026-05-28 22:01:58,506", "thread_id": "2700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc77b98ce0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xc4\\x1e\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14139 }, { "timestamp": "2026-05-28 22:01:58,506", "thread_id": "2700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77b98c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a00" } ], "repeated": 0, "id": 14140 }, { "timestamp": "2026-05-28 22:01:58,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 14141 }, { "timestamp": "2026-05-28 22:01:58,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "636" }, { "name": "y", "value": "402" } ], "repeated": 0, "id": 14142 }, { "timestamp": "2026-05-28 22:01:58,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 14143 }, { "timestamp": "2026-05-28 22:01:58,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "636" }, { "name": "y", "value": "403" } ], "repeated": 0, "id": 14144 }, { "timestamp": "2026-05-28 22:01:58,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 14145 }, { "timestamp": "2026-05-28 22:01:58,553", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000004" }, { "name": "ValueName", "value": "Explain 0409" }, { "name": "FullName", "value": "HKEY_PERFORMANCE_DATA\\Explain 0409" } ], "repeated": 0, "id": 14146 }, { "timestamp": "2026-05-28 22:01:58,553", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292553f0000" }, { "name": "RegionSize", "value": "0x0015f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14147 }, { "timestamp": "2026-05-28 22:01:58,553", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925554e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14148 }, { "timestamp": "2026-05-28 22:01:58,553", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14149 }, { "timestamp": "2026-05-28 22:01:58,553", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000004" }, { "name": "ValueName", "value": "Counter 0409" }, { "name": "Data", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x6556\\x7372\\x6f69\\x5c6e\\x6550\\x6672\\x696c\\x5c62\\x565f\\x5032\\x6f72\\x6976\\x6564\\x7372\\x7b5c\\x3735\\x3836\\x6633\\x3630\\x612d\\x3830\\x2d62\\x3734\\x3830\\x382d\\x3238\\x2d35\\x6335\\x3632\\x3466\\x3031\\x3437\\x6234\\x5c7d\\x7250\\x766f\\x6469\\x7265\\x7954\\x6570" }, { "name": "FullName", "value": "HKEY_PERFORMANCE_DATA\\Counter 0409" } ], "repeated": 0, "id": 14150 }, { "timestamp": "2026-05-28 22:01:58,553", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14151 }, { "timestamp": "2026-05-28 22:01:58,553", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000004" }, { "name": "ValueName", "value": "Explain 0409" }, { "name": "Data", "value": "\\x00\\x00\\x00ux00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x6556\\x7372\\x6f69\\x5c6e\\x6550\\x6672\\x696c\\x5c62\\x565f\\x5032\\x6f72\\x6976\\x6564\\x7372\\x7b5c\\x3735\\x3836\\x6633\\x3630\\x612d\\x3830\\x2d62\\x3734\\x3830\\x382d\\x3238\\x2d35\\x6335\\x3632\\x3466\\x3031\\x3437\\x6234\\x5c7d\\x7250\\x766f\\x6469\\x7265\\x7954\\x6570" }, { "name": "FullName", "value": "HKEY_PERFORMANCE_DATA\\Explain 0409" } ], "repeated": 0, "id": 14152 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" } ], "repeated": 0, "id": 14153 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14154 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255550002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14155 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629168", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14156 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14157 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629578", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14158 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629168", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14159 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14160 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629578", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14161 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255550000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 14162 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "GetComputerNameW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ComputerName", "value": "JOHNS-PC" } ], "repeated": 0, "id": 14163 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008f0" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14164 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "GetComputerNameW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ComputerName", "value": "JOHNS-PC" } ], "repeated": 0, "id": 14165 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14166 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224017" }, { "name": "InputBuffer", "value": "\\x14\\x00\\x02\\x00\\x00\\x00\\x00\\x00(\\xdd\\x88T\\x92\\x02\\x00\\x00\\xd0\\xc6%w\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x1e\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x02\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x001\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00" } ], "repeated": 0, "id": 14167 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a5e000" }, { "name": "RegionSize", "value": "0x00051000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14168 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254982000" }, { "name": "RegionSize", "value": "0x0004c000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14169 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a33000" }, { "name": "RegionSize", "value": "0x00029000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14170 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ab2000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14171 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292549d6000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14172 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292549f4000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14173 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1402", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14174 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292549f4000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14175 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14176 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255550002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14177 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629178", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14178 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14179 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629738", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14180 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629178", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14181 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14182 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629738", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14183 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629188", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#628" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14184 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000080", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629188" } ], "repeated": 0, "id": 14185 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629990", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629188" } ], "repeated": 0, "id": 14186 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255550000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 14187 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14188 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292549d6000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14189 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224017" }, { "name": "InputBuffer", "value": "$\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb0&\\x8cT\\x92\\x02\\x00\\x00\\xd0\\xc6%w\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00P\\x00\\x00\\x00\\x01\\x00\\x00\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14190 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d145e", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 14191 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255550002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14192 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629178", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14193 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14194 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629738", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14195 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255550000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 14196 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14197 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224017" }, { "name": "InputBuffer", "value": "0\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa0,4T\\x92\\x02\\x00\\x00\\xd0\\xc6%w\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00p\\x00a\\x00r\\x00t\\x00_\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14198 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d14e8", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 14199 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255550002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14200 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629178", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14201 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14202 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629738", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14203 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255550000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 14204 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14205 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224017" }, { "name": "InputBuffer", "value": "8\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x90\\x18\\xecS\\x92\\x02\\x00\\x00\\xd0\\xc6%w\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 14206 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1516", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 14207 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255550002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\drivers\\dxgmms2.sys" }, { "name": "dwFlags", "value": "0x0000002a" } ], "repeated": 0, "id": 14208 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629168", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14209 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14210 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629578", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14211 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629168", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14212 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14213 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629578", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14214 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629168", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#626" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14215 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001bc", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14216 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629578", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629168" } ], "repeated": 0, "id": 14217 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629178", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#627" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14218 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000254", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14219 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629738", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629178" } ], "repeated": 0, "id": 14220 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255629188", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#628" }, { "name": "Language", "value": "0x00000409" } ], "repeated": 0, "id": 14221 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000080", "arguments": [ { "name": "ModuleHandle", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629188" } ], "repeated": 0, "id": 14222 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29255629990", "arguments": [ { "name": "Module", "value": "0x29255550002" }, { "name": "ResourceInfo", "value": "0x29255629188" } ], "repeated": 0, "id": 14223 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255550000" }, { "name": "RegionSize", "value": "0x000e1000" } ], "repeated": 0, "id": 14224 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14225 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224017" }, { "name": "InputBuffer", "value": "$\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xf4\\x95T\\x92\\x02\\x00\\x00\\xd0\\xc6%w\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x0b\\x00\\x00\\x00\\x08\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x02\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x005\\x001\\x002\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x009\\x008\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x00" } ], "repeated": 0, "id": 14226 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28d1544", "parentcaller": "0x7ff6c28d12ab", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14227 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 14228 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlGetSystemTimeAndBias" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806c6a0" } ], "repeated": 0, "id": 14229 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14230 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224003" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14231 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\xff\\x14\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00(\\xdd\\x88T\\x92\\x02\\x00\\x00(y\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 14232 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x08\\x14\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00(\\xdd\\x88T\\x92\\x02\\x00\\x00Xy\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 14233 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x00$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x92\\x02\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\xb0&\\x8cT\\x92\\x02\\x00\\x00X\\x99\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x03\\x00\\x00\\x00" } ], "repeated": 0, "id": 14234 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x08$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\xb0&\\x8cT\\x92\\x02\\x00\\x00\\x88\\x99\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 14235 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x08$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\xb0&\\x8cT\\x92\\x02\\x00\\x00\\xb8\\x99\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x05\\x00\\x00\\x00" } ], "repeated": 0, "id": 14236 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x000\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x92\\x02\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\xa0,4T\\x92\\x02\\x00\\x00\\x88\\xb9\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x06\\x00\\x00\\x00" } ], "repeated": 0, "id": 14237 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x008\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x92\\x02\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x18\\xecS\\x92\\x02\\x00\\x00\\xb8\\xd9\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x07\\x00\\x00\\x00" } ], "repeated": 0, "id": 14238 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x00$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x92\\x02\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4\\x95T\\x92\\x02\\x00\\x00\\xe8\\xf9\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 14239 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x08$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4\\x95T\\x92\\x02\\x00\\x00\\x18\\xfa\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\t\\x00\\x00\\x00" } ], "repeated": 0, "id": 14240 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x08$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4\\x95T\\x92\\x02\\x00\\x00H\\xfa\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\n\\x00\\x00\\x00" } ], "repeated": 0, "id": 14241 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x08$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4\\x95T\\x92\\x02\\x00\\x00x\\xfa\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x0b\\x00\\x00\\x00" } ], "repeated": 0, "id": 14242 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224007" }, { "name": "InputBuffer", "value": "\\x01\\x08$\\x00\\x02\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4\\x95T\\x92\\x02\\x00\\x00\\xa8\\xfa\\x9dT\\x92\\x02\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x0c\\x00\\x00\\x00" } ], "repeated": 0, "id": 14243 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x08\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14244 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\t\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14245 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\n\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14246 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x0b\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14247 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x0c\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14248 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x07\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14249 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x06\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14250 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x03\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14251 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x04\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14252 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x05\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14253 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14254 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x0022400f" }, { "name": "InputBuffer", "value": "\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14255 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 14256 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ab2000" }, { "name": "RegionSize", "value": "0x0001a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14257 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14258 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xc8A\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x12\\x00\\x00 \\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 14259 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 14260 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14261 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28d1616", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xc8A\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x12\\x00\\x00 \\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 14262 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28b4d7a", "parentcaller": "0x7ff6c28b41f1", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dwmapi" }, { "name": "DllBase", "value": "0x7ffc73480000" } ], "repeated": 0, "id": 14263 }, { "timestamp": "2026-05-28 22:01:58,568", "thread_id": "8604", "caller": "0x7ff6c28b4d7a", "parentcaller": "0x7ff6c28b41f1", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\d3d9" }, { "name": "DllBase", "value": "0x29255550000" } ], "repeated": 0, "id": 14264 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4d7a", "parentcaller": "0x7ff6c28b41f1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "d3d9.dll" }, { "name": "BaseAddress", "value": "0x29255550000" } ], "repeated": 0, "id": 14265 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4d7a", "parentcaller": "0x7ff6c28b41f1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255550000", "arguments": [ { "name": "lpLibFileName", "value": "d3d9.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14266 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b420b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "d3d9.dll" }, { "name": "ModuleHandle", "value": "0x29255550000" }, { "name": "FunctionName", "value": "Direct3DCreate9Ex" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x29255586000" } ], "repeated": 0, "id": 14267 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a18" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "GENERIC_READ" }, { "name": "FileName", "value": "\\Device\\DeviceApi\\CMNotify" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14268 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a18" }, { "name": "IoControlCode", "value": "0x00470800" }, { "name": "InBuffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00t\\x00a\\x00s\\x00k\\x00m\\x00g\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "E\\x19\\x87\\xa3mN\\xc6A" } ], "repeated": 0, "id": 14269 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0xf09d85c018" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 14270 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7813c4e0" }, { "name": "Size", "value": "0x00000008" }, { "name": "Buffer", "value": "\\x90%\\x1fN\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 14271 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2580" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0#\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b\\xc2\\xf6\\x7f\\x00\\x00\\xf0\\x00\\x8e\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf8!\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00 \"\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x00\\x00\\xff\\xff\\xff\\xff\\x80Q\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc2\\x13x\\xfc\\x7f\\x00\\x00u\\x00|V\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14272 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f23f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10+\\x1fN\\x92\\x02\\x00\\x00\\x80%\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x00\\x90%\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfdw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x1f\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\xf0\"\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb0\\xd9\\x0fx\\xfc\\x7f\\x00\\x00\\xc4\\xa2\\x00\\x00\\xff\\xff\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc2\\x13x\\xfc\\x7f\\x00\\x00o\\xaad\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14273 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f2b10" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " 1\\x1fN\\x92\\x02\\x00\\x00\\xf0#\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\x00$\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00@1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x03v\\xfc\\x7f\\x00\\x00\\xe0s\\x04v\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0b\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0,\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8,\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x0c\\x00\\xff\\xff\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00`\\xc2\\x13x\\xfc\\x7f\\x00\\x00'\\xda\\xc9\\x9e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14274 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f3120" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0M\\x1fN\\x92\\x02\\x00\\x00\\x10+\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00 +\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x10$\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00ku\\xfc\\x7f\\x00\\x00\\xb0glu\\xfc\\x7f\\x00\\x00\\x00`/\\x00\\x00\\x00\\x00\\x00D\\x00F\\x00\\x00\\x00\\x00\\x00\\xb02\\x1fN\\x92\\x02\\x00\\x00\\x1c\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd82\\x1fN\\x92\\x02\\x00\\x00\\xcc\\xa2\\x08\\x00\\xff\\xff\\xff\\xff\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x80\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x12\\x8f\\x0f\\xd8\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14275 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f4d30" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10Q\\x1fN\\x92\\x02\\x00\\x00 1\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x0001\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x000Q\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa8u\\xfc\\x7f\\x00\\x00\\xb0\\xfa\\xacu\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x15\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00`N\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x88N\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0Y\\x1fN\\x92\\x02\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00Yo\\xd4\\xce\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14276 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5110" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0T\\x1fN\\x92\\x02\\x00\\x000M\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00@M\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x000+\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xd0u\\xfc\\x7f\\x00\\x00\\x10a\\xd1u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0R\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8R\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x10\\xf5\\x1fN\\x92\\x02\\x00\\x00\\xf0%\\x1fN\\x92\\x02\\x00\\x00\\x89]\\xcf\\x81\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14277 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f54d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\x10Q\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00 Q\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\xe0X\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf2w\\xfc\\x7f\\x00\\x00\\x00C\\xf3w\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x06\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00`V\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x88V\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xa0\\xe5\\x1fN\\x92\\x02\\x00\\x00 \\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xbc1\rz\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14278 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f58c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xd0T\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0T\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00PM\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\nw\\xfc\\x7f\\x00\\x00\\x80\\xe1\\x0fw\\xfc\\x7f\\x00\\x00\\x00`\\x12\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00PZ\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00xZ\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00p\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xa0M\\x1fN\\x92\\x02\\x00\\x00\\x0f\\xf4P\\xa2\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14279 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f5ca0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\xc0X\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xd0X\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00*v\\xfc\\x7f\\x00\\x00`\\x7f+v\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x19\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x000^\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00X^\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00 \\xef\\x1fN\\x92\\x02\\x00\\x00@\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x19t\\xe4\\x12\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14280 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f60e0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0c\\x1fN\\x92\\x02\\x00\\x00\\xa0\\\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xb0\\\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\xf0T\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa5u\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00pb\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x98b\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00@\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x13\\x02\\xcd\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14281 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f63d0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0`\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xf0`\\x1fN\\x92\\x02\\x00\\x00\\xc0\\\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xedw\\xfc\\x7f\\x00\\x00`I\\xedw\\xfc\\x7f\\x00\\x00\\x00\\xc0\\x02\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00`e\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x88e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00pb\"T\\x92\\x02\\x00\\x00P\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\xb5\\xf0\\x86p\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14282 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f8b80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\xd0c\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00\\xe0c\\x1fN\\x92\\x02\\x00\\x00\\xf0c\\x1fN\\x92\\x02\\x00\\x000\\x90\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xbeu\\xfc\\x7f\\x00\\x00\\x90\\x17\\xc1u\\xfc\\x7f\\x00\\x00\\x00\\xa0\\x11\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\x10\\x8d\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x008\\x8d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00Pa\\x1fN\\x92\\x02\\x00\\x00<\\xa0\\x89\\xf1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14283 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1f9010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x80\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x90\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xa0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\x00a\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x9bu\\xfc\\x7f\\x00\\x00\\x90S\\x9cu\\xfc\\x7f\\x00\\x00\\x00\\xd0\t\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\xd0\\xa4\\x1fN\\x92\\x02\\x00\\x00\\x1a\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf8\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00P\\xbf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\x8b\\x1fN\\x92\\x02\\x00\\x00\\xcf\\%9\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14284 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fabd0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x00\\x10\\x90\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00 \\x90\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1ew\\xfc\\x7f\\x00\\x00`X\\x1fw\\xfc\\x7f\\x00\\x00\\x00\\xf0\n\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xb0\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xd8\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00\\x10\\xc4\\x1fN\\x92\\x02\\x00\\x00\\x00\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xef\\x1f\\x17#\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14285 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1faf00" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xb2\\x1fN\\x92\\x02\\x00\\x00P\\xe5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00)w\\xfc\\x7f\\x00\\x00Px)w\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\x00\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00(\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x00\\xfb\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xc1\\x13x\\xfc\\x7f\\x00\\x00\\x04\\x0e\\xf6\\x9b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14286 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb200" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": " \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xaf\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\x10\\xaf\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00 \\xaf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00fw\\xfc\\x7f\\x00\\x00p\\xcegw\\xfc\\x7f\\x00\\x00\\x00\\xc0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00P\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00x\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xb0\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x9a\\xb6\\xfa\\x9d\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14287 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fba20" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb2\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb2\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xab\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00sv\\xfc\\x7f\\x00\\x00\\x80\\x12\\x84v\\xfc\\x7f\\x00\\x00\\x00Pt\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00@\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00h\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc1\\x13x\\xfc\\x7f\\x00\\x00CA\\xda\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14288 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbb50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00 \\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x000\\xba\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x10\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf6v\\xfc\\x7f\\x00\\x00\\xb0e\\xf8v\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x12\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\x90\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xb8\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xfc\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\xb5}]\\xc1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14289 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb8f0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00P\\xbb\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00`\\xbb\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00@\\xba\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xb7w\\xfc\\x7f\\x00\\x00\\xf0I\\xc6w\\xfc\\x7f\\x00\\x00\\x00@5\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00 \\xa0\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00H\\xa0\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x90|\"T\\x92\\x02\\x00\\x00\\xc0\\xc1\\x13x\\xfc\\x7f\\x00\\x00=}>a\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14290 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb690" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xb8\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\x00\\xb9\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00p\\xbb\\x1fN\\x92\\x02\\x00\\x00\\x00\\x003w\\xfc\\x7f\\x00\\x00P\\xe74w\\xfc\\x7f\\x00\\x00\\x00\\xd0\\x0c\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\xa2\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0\\xe9\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\xf1\\xdf.\\xd4\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14291 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbee0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xb6\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00mv\\xfc\\x7f\\x00\\x00\\xa0\\xa7mv\\xfc\\x7f\\x00\\x00\\x00P\\x05\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf0\\xa2\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x18\\xa3\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\x10s\"T\\x92\\x02\\x00\\x00\\x80\\x90\\x1fN\\x92\\x02\\x00\\x00S\\xbe\\xd5!\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14292 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fbdb0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xbe\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xbe\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xe2\\x1fN\\x92\\x02\\x00\\x00\\x00\\xbf\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0u\\xfc\\x7f\\x00\\x00\\xf0\\x90\\xe0u\\xfc\\x7f\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\xe0\\xa3\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x08\\xa4\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0~\\xeeS\\x92\\x02\\x00\\x00`\\xc1\\x13x\\xfc\\x7f\\x00\\x00C\\xb9#\\x97\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14293 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc010" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xbd\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xbd\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1dw\\xfc\\x7f\\x00\\x00\\xf0\"\\x1dw\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x00\\x00\\x00\\x00\\xa0\\xdb\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\xc8\\xdb\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xb0\\xd5(N\\x92\\x02\\x00\\x00\\xe0\\xc2\\x13x\\xfc\\x7f\\x00\\x00@\\xe2\\xe3o\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14294 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fed80" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x10\\xc0\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00 \\xc0\\x1fN\\x92\\x02\\x00\\x00\\x90\\xc2\\x1fN\\x92\\x02\\x00\\x00P\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00pw\\xfc\\x7f\\x00\\x00\\xa04rw\\xfc\\x7f\\x00\\x00\\x00\\xe0F\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x000\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00X\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\x00\\x00`\\xea\\x1fN\\x92\\x02\\x00\\x00p\\xc2\\x13x\\xfc\\x7f\\x00\\x00\"%\\x88W\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14295 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff830" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xed\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x90\\xed\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x90\\xf3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xf5u\\xfc\\x7f\\x00\\x00P7\\xf6u\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00`\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x88\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xc1\\x13x\\xfc\\x7f\\x00\\x00]\\x81\\xde\\x1e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14296 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc270" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xc1\\x1fN\\x92\\x02\\x00\\x000\\xf8\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00@\\xf8\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xe8\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xed\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00Fu\\xfc\\x7f\\x00\\x00\\x804Fu\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x04\\x00\\x00\\x00\\x00\\x00@\\x00B\\x00\\x00\\x00\\x00\\x00\\xa0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\xc8\\x9d\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xd0\\xf9\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xf8\\x1fN\\x92\\x02\\x00\\x00\\x08\\x95\\x19\\x06\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14297 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc140" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00p\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x80\\xc2\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x000\\xc0\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xe0a\\xfc\\x7f\\x00\\x00p\\x9e\\xe9a\\xfc\\x7f\\x00\\x00\\x00\\xa0)\\x00\\x00\\x00\\x00\\x00\\xf8\\x00\\xfa\\x00\\x00\\x00\\x00\\x00\\xb0' N\\x92\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x90( N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x10\\x06\\x00\\xff\\xff\\x80|\\xeeS\\x92\\x02\\x00\\x00p\\xb2\\x1fN\\x92\\x02\\x00\\x00\\xed\\xb6\\x1eK\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14298 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fc3a0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xb5\\x1fN\\x92\\x02\\x00\\x00@\\xc1\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xc1\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\ns\\xfc\\x7f\\x00\\x00p\\x8c\\x0cs\\xfc\\x7f\\x00\\x00\\x00\\xe0\t\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x92\\x02\\x00\\x00\\xd0\\x9f\\x1fN\\x92\\x02\\x00\\x00\\x16\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\xf8\\x9f\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x000a\\xeeS\\x92\\x02\\x00\\x00@\\xac\\x1fN\\x92\\x02\\x00\\x006\\x88\\x10\\x16\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14299 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb560" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xa0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xc3\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x99k\\xfc\\x7f\\x00\\x00\\xc0\\x16\\x99k\\xfc\\x7f\\x00\\x00\\x00\\x90\\x01\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00\\x10\\xa1\\x1fN\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x008\\xa1\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00@n\\xeeS\\x92\\x02\\x00\\x00\\xc0\\xc2\\x13x\\xfc\\x7f\\x00\\x00\\x1e\\xc3a\\x08\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14300 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fb7c0" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "@\\xf2\\x1fN\\x92\\x02\\x00\\x00`\\xb5\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xb5\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xb5\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\xa9j\\xfc\\x7f\\x00\\x00 R\\xaaj\\xfc\\x7f\\x00\\x00\\x00P\t\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xf0\\x9d\\x1fN\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x9e\\x1fN\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff\\x80\\xf1\\x1fN\\x92\\x02\\x00\\x00\\x90\\xba\\x1fN\\x92\\x02\\x00\\x00}\\x0bF\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14301 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff240" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xc0\\xb7\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\xd0\\xb7\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xb7\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x1f`\\xfc\\x7f\\x00\\x00pR#`\\xfc\\x7f\\x00\\x00\\x00\\xe0\\x1a\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x92\\x02\\x00\\x00\\xb0< N\\x92\\x02\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\xd8< N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff`\\xfd\\x1fN\\x92\\x02\\x00\\x00\\xb0\\xc1\\x13x\\xfc\\x7f\\x00\\x00n\\xea\\xab\\xed\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14302 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1fff50" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "`\\xf9\\x1fN\\x92\\x02\\x00\\x00@\\xf2\\x1fN\\x92\\x02\\x00\\x00p\\xf9\\x1fN\\x92\\x02\\x00\\x00P\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x80\\xf9\\x1fN\\x92\\x02\\x00\\x00`\\xf2\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00w^\\xfc\\x7f\\x00\\x00P5w^\\xfc\\x7f\\x00\\x00\\x00\\x90\\x04\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x92\\x02\\x00\\x00\\xf0N N\\x92\\x02\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x18O N\\x92\\x02\\x00\\x00\\xec\\xa2\\x0c\\x00\\x06\\x00\\x00\\x00\\xe0\\xf3\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc1\\x13x\\xfc\\x7f\\x00\\x00v\\x0cU\\xc3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14303 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b4236", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e1ff960" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "\\xe0\\xef\\x1fN\\x92\\x02\\x00\\x00P\\xff\\x1fN\\x92\\x02\\x00\\x00\\xf0\\xef\\x1fN\\x92\\x02\\x00\\x00`\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\xf0\\x1fN\\x92\\x02\\x00\\x00p\\xff\\x1fN\\x92\\x02\\x00\\x00\\x00\\x007n\\xfc\\x7f\\x00\\x00@\\x1a9n\\xfc\\x7f\\x00\\x00\\x00\\xb0\\x03\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x92\\x02\\x00\\x00@9 N\\x92\\x02\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00h9 N\\x92\\x02\\x00\\x00\\xec\\xa2\\x08\\x00\\x06\\x00\\xff\\xff0t\\xeeS\\x92\\x02\\x00\\x00\\xe0\\xc2\\x1fN\\x92\\x02\\x00\\x00\\x0e\\x82\\xd7\\x1f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14304 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DXCaptureReplay.dll" }, { "name": "ModuleHandle", "value": "0x292542530f0" } ], "repeated": 0, "id": 14305 }, { "timestamp": "2026-05-28 22:01:58,584", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a1c" } ], "repeated": 0, "id": 14306 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" } ], "repeated": 0, "id": 14307 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14308 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14309 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000009fc" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14310 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000009fc" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x90\\x12\\x00\\x00\\x00\\x00\\x00\\xb8\\x87\\x12\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14311 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000009fc" } ], "repeated": 0, "id": 14312 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Direct3D" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D" } ], "repeated": 0, "id": 14313 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Direct3D" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Direct3D" } ], "repeated": 0, "id": 14314 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "gdi32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14315 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetSharedResourceAdapterLuid" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54f50" } ], "repeated": 0, "id": 14316 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetStereoEnabled" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55950" } ], "repeated": 0, "id": 14317 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 14318 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 14319 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 14320 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 14321 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 14322 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 14323 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 14324 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" }, { "name": "MutexName", "value": "Local\\SM0:7912:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14325 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a24" } ], "repeated": 0, "id": 14326 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a1c" } ], "repeated": 0, "id": 14327 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" } ], "repeated": 0, "id": 14328 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "csrsrv.dll" }, { "name": "ModuleHandle", "value": "0x7ffc00000991" } ], "repeated": 0, "id": 14329 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\resourcepolicyclient" }, { "name": "DllBase", "value": "0x7ffc731a0000" } ], "repeated": 0, "id": 14330 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-win-core-resourcepolicy-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc731a0000" } ], "repeated": 0, "id": 14331 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc731a0000", "arguments": [ { "name": "lpLibFileName", "value": "ext-ms-win-core-resourcepolicy-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14332 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "resourcepolicyclient.dll" }, { "name": "ModuleHandle", "value": "0x7ffc731a0000" }, { "name": "FunctionName", "value": "CreateGameConfigStoreClient" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc731a2540" } ], "repeated": 0, "id": 14333 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a20" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\SecurityManager\\TransientObjects\\%5C%5C.%5CRpc%5CAllowLpacAppExperience%5CInterface" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\TransientObjects\\%5C%5C.%5CRpc%5CAllowLpacAppExperience%5CInterface" } ], "repeated": 0, "id": 14334 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" } ], "repeated": 0, "id": 14335 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14336 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000a20" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 14337 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a1c" } ], "repeated": 0, "id": 14338 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14339 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "8\\x1a\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14340 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x0f\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14341 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14342 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "84vT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14343 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14344 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\\x11\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14345 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x82\\xf8\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00P\\xe8O\\x9e\\xf0\\x00\\x00\\x00H\\xe8O\\x9e\\xf0\\x00\\x00\\x00\\x18\\xe8O\\x9e\\xf0\\x00\\x00\\x008\\xe8O\\x9e" } ], "repeated": 0, "id": 14346 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x11\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x008\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\x1c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14347 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14348 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x18\\x16\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14349 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x11\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14350 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14351 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xc8.vT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14352 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14353 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\\x11\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14354 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00b\\xfb\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xb0\\xe4O\\x9e\\xf0\\x00\\x00\\x00\\xa8\\xe4O\\x9e\\xf0\\x00\\x00\\x00x\\xe4O\\x9e\\xf0\\x00\\x00\\x00\\x98\\xe4O\\x9e" } ], "repeated": 0, "id": 14355 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x11\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xe2O\\x9e\\xf0\\x00\\x00\\x00\\x1c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14356 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" } ], "repeated": 0, "id": 14357 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a1c" } ], "repeated": 0, "id": 14358 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14359 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000a1c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 14360 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a20" } ], "repeated": 0, "id": 14361 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14362 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "8\\x1a\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14363 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\x12\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00d\\x00r\\x00i\\x00v\\x00e\\x00r\\x00s\\x00\\\\x00v\\x00m\\x00b\\x00u\\x00s\\x00r\\x00.\\x00s\\x00y\\x00s\\x00" } ], "repeated": 0, "id": 14364 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14365 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xc8.vT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14366 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14367 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\\x0e\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14368 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00b\\xf9\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xb0\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xa8\\xe6O\\x9e\\xf0\\x00\\x00\\x00x\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\x98\\xe6O\\x9e" } ], "repeated": 0, "id": 14369 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x0e\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xe4O\\x9e\\xf0\\x00\\x00\\x00 \n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14370 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14371 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x18\\x16\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14372 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x11\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14373 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14374 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x081vT\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14375 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14376 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\\x11\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14377 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xc2\\xfd\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x10\\xe3O\\x9e\\xf0\\x00\\x00\\x00\\x08\\xe3O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\xe2O\\x9e\\xf0\\x00\\x00\\x00\\xf8\\xe2O\\x9e" } ], "repeated": 0, "id": 14378 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x11\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xe0O\\x9e\\xf0\\x00\\x00\\x00 \n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14379 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xe4O\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xe9O\\x9e\\xf0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\xceP\\x84\\x81" } ], "repeated": 0, "id": 14380 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14381 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "\\x0e\\x00\\x00\\x00o\\x00u\\x00Hc\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00i\\x00s\\x00dc\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00t\\x00h\\x00pc\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00e\\x00r\\x00|c\\x92T\\x92\\x02\\x00\\x00\\x0f\\x00\\x00\\x00e\\x00t\\x00\\x8cc\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00h\\x00e\\x00\\x9cc\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00s\\x00 \\x00\\xa8c\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00e\\x00d\\x00\\xb4c\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00e\\x00 \\x00\\xc0c\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00w\\x00o\\x00\\xccc\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00e\\x00 \\x00\\xd8c\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\xc0a\\x00l\\x00\\xecc\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00i\\x00d\\x00\\xf8c\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00t\\x00h\\x00\\x08d\\x92T\\x92\\x02\\x00\\x00`\\x00\\x00\\x00t\\x00i\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2" } ], "repeated": 0, "id": 14382 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a1c" } ], "repeated": 0, "id": 14383 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" } ], "repeated": 0, "id": 14384 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14385 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "resourcepolicyclient.dll" }, { "name": "ModuleHandle", "value": "0x7ffc731a0000" }, { "name": "FunctionName", "value": "FreeGameConfigStoreClient" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc731a24e0" } ], "repeated": 0, "id": 14386 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\resourcepolicyclient" }, { "name": "DllBase", "value": "0x7ffc731a0000" } ], "repeated": 0, "id": 14387 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc731a0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 14388 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14389 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77ed0000", "arguments": [ { "name": "lpLibFileName", "value": "gdi32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14390 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCloseAdapter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54730" } ], "repeated": 0, "id": 14391 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTEnumAdapters2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54bb0" } ], "repeated": 0, "id": 14392 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryAdapterInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a554b0" } ], "repeated": 0, "id": 14393 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryVideoMemoryInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55630" } ], "repeated": 0, "id": 14394 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14395 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14396 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14397 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14398 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "EnumDisplayDevicesW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceString", "value": "NVIDIA GeForce RTX 3060" } ], "repeated": 0, "id": 14399 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "EnumDisplayDevicesW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceString", "value": "" } ], "repeated": 0, "id": 14400 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\DirectX\\UserGpuPreferences" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\DirectX\\UserGpuPreferences" } ], "repeated": 0, "id": 14401 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14402 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74048000" }, { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14403 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14404 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90\\x86\\xe8S\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\x86\\xe8S\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x86\\xe8S\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14405 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43ca", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\DirectX\\UserGpuPreferences" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\DirectX\\UserGpuPreferences" } ], "repeated": 0, "id": 14406 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "gdi32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14407 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14408 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77ed0000", "arguments": [ { "name": "lpLibFileName", "value": "gdi32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14409 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenAdapterFromGdiDisplayName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed10b0" } ], "repeated": 0, "id": 14410 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenAdapterFromDeviceName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55150" } ], "repeated": 0, "id": 14411 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetDisplayModeList" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54d50" } ], "repeated": 0, "id": 14412 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetVidPnSourceOwner" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed5e40" } ], "repeated": 0, "id": 14413 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetDisplayMode" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a557d0" } ], "repeated": 0, "id": 14414 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCloseAdapter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54730" } ], "repeated": 0, "id": 14415 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetGammaRamp" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55830" } ], "repeated": 0, "id": 14416 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetDeviceState" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54d30" } ], "repeated": 0, "id": 14417 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryAdapterInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a554b0" } ], "repeated": 0, "id": 14418 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTWaitForVerticalBlankEvent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55cb0" } ], "repeated": 0, "id": 14419 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetVidPnSourceOwner1" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed5600" } ], "repeated": 0, "id": 14420 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateDCFromMemory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a547f0" } ], "repeated": 0, "id": 14421 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyDCFromMemory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a549f0" } ], "repeated": 0, "id": 14422 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCheckVidPnExclusiveOwnership" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54710" } ], "repeated": 0, "id": 14423 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCheckMonitorPowerState" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54650" } ], "repeated": 0, "id": 14424 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCheckSharedResourceAccess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a546f0" } ], "repeated": 0, "id": 14425 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateOutputDupl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a548b0" } ], "repeated": 0, "id": 14426 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyOutputDupl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54a90" } ], "repeated": 0, "id": 14427 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOutputDuplGetFrameInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55350" } ], "repeated": 0, "id": 14428 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOutputDuplGetMetaData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55370" } ], "repeated": 0, "id": 14429 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOutputDuplGetPointerShapeData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55390" } ], "repeated": 0, "id": 14430 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOutputDuplReleaseFrame" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a553d0" } ], "repeated": 0, "id": 14431 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTWaitForVerticalBlankEvent2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55cd0" } ], "repeated": 0, "id": 14432 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetDWMVerticalBlankEvent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54d10" } ], "repeated": 0, "id": 14433 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetSyncRefreshCountWaitTarget" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55970" } ], "repeated": 0, "id": 14434 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryVideoMemoryInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55630" } ], "repeated": 0, "id": 14435 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b43fd", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTChangeVideoMemoryReservation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54610" } ], "repeated": 0, "id": 14436 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DXCaptureReplay.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 14437 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\D3D12Core" }, { "name": "DllBase", "value": "0x7ffc5eef0000" } ], "repeated": 0, "id": 14438 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\D3D12Core.dll" }, { "name": "BaseAddress", "value": "0x7ffc5eef0000" } ], "repeated": 0, "id": 14439 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc5eef0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\D3D12Core.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14440 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5eef0000" }, { "name": "FunctionName", "value": "D3D12GetInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5ef045a0" } ], "repeated": 0, "id": 14441 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14442 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x90\\x12\\x00\\x00\\x00\\x00\\x00\\xb8\\x87\\x12\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14443 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14444 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Direct3D\\Direct3D12" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D\\Direct3D12" } ], "repeated": 0, "id": 14445 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Direct3D\\Direct3D12" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Direct3D\\Direct3D12" } ], "repeated": 0, "id": 14446 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14447 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14448 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14449 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14450 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14451 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14452 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DXCaptureReplay.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 14453 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14454 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a34" } ], "repeated": 0, "id": 14455 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14456 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77ed0000", "arguments": [ { "name": "lpLibFileName", "value": "gdi32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14457 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCloseAdapter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54730" } ], "repeated": 0, "id": 14458 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTEnumAdapters2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54bb0" } ], "repeated": 0, "id": 14459 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryAdapterInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a554b0" } ], "repeated": 0, "id": 14460 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryVideoMemoryInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55630" } ], "repeated": 0, "id": 14461 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14462 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14463 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14464 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77ed0000", "arguments": [ { "name": "lpLibFileName", "value": "gdi32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14465 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCloseAdapter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54730" } ], "repeated": 0, "id": 14466 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14467 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14468 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\d3d10warp" }, { "name": "DllBase", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 14469 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "d3d10warp.dll" }, { "name": "BaseAddress", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 14470 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6e3b0000", "arguments": [ { "name": "lpLibFileName", "value": "d3d10warp.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14471 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "d3d10warp.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6e3b0000" }, { "name": "FunctionName", "value": "OpenAdapter12" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6e3fd2e0" } ], "repeated": 0, "id": 14472 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14473 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 14474 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 14475 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 14476 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 14477 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 14478 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 14479 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 14480 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00803000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14481 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14482 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255f22000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14483 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Cryptography" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography" } ], "repeated": 0, "id": 14484 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "MachineGuid" }, { "name": "Data", "value": "f236088c-d77a-4da3-9aa2-7c7045457595" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid" } ], "repeated": 0, "id": 14485 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 14486 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6e3b0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\d3d10warp.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 1, "id": 14487 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 14488 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14489 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6ea9e000" }, { "name": "ModuleName", "value": "d3d10warp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14490 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6ea9e000" }, { "name": "ModuleName", "value": "d3d10warp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14491 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "GetSystemMetrics", "status": false, "return": "0x00000000", "arguments": [ { "name": "SystemMetricIndex", "value": "4096" } ], "repeated": 0, "id": 14492 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "55" } ], "repeated": 0, "id": 14493 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a33000" }, { "name": "RegionSize", "value": "0x00029000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14494 }, { "timestamp": "2026-05-28 22:01:58,600", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 14495 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14496 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a5000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14497 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a5000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14498 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14499 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14500 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14501 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14502 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14503 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "d3d10warp.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6e3b0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "199" }, { "name": "FunctionAddress", "value": "0x7ffc6e3fdaa0" } ], "repeated": 0, "id": 14504 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a80" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\d3d10warp.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14505 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a80" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\d3d10warp.dll" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "\\xf3.\\xe5d\\&\\xda\\x01f\\xce\\xcb\\x9a\\xed\\xee\\xdc\\x01?B\\xf8d\\&\\xda\\x01E\\xd0\\x1a\\xf6\\x01\\xef\\xdc\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14506 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a80" } ], "repeated": 0, "id": 14507 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dxilconv" }, { "name": "DllBase", "value": "0x7ffc5f430000" } ], "repeated": 0, "id": 14508 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "dxilconv.dll" }, { "name": "BaseAddress", "value": "0x7ffc5f430000" } ], "repeated": 0, "id": 14509 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc5f430000", "arguments": [ { "name": "lpLibFileName", "value": "dxilconv.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14510 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a8c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\dxilconv.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14511 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a8c" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\dxilconv.dll" }, { "name": "FileInformationClass", "value": "4", "pretty_value": "FileBasicInformation" }, { "name": "FileInformation", "value": "m\\xccF\\xe1\\xdd\\xac\\xd5\\x01~0\\xce\\x9a\\xed\\xee\\xdc\\x01m\\xccF\\xe1\\xdd\\xac\\xd5\\x01Yu\\x1d\\xf6\\x01\\xef\\xdc\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14512 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a8c" } ], "repeated": 0, "id": 14513 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 14514 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "D3DSCache.dll" } ], "repeated": 0, "id": 14515 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\D3DSCache.dll" } ], "repeated": 0, "id": 14516 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a8c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\D3DSCache.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 14517 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a8c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\D3DSCache.dll" } ], "repeated": 0, "id": 14518 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a9e0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0002a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14519 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6aa02000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14520 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a9f8000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14521 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a9f8000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14522 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a9f8000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14523 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a9f8000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14524 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a9f8000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14525 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 14526 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a8c" } ], "repeated": 0, "id": 14527 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a9f8000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14528 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\D3DSCache" }, { "name": "DllBase", "value": "0x7ffc6a9e0000" } ], "repeated": 0, "id": 14529 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\D3DSCache" }, { "name": "BaseAddress", "value": "0x7ffc6a9e0000" }, { "name": "InitRoutine", "value": "0x7ffc6a9f60e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 14530 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14531 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f0a4000" }, { "name": "ModuleName", "value": "D3D12Core.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14532 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a90" } ], "repeated": 0, "id": 14533 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "31" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$J\\x14x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfdw\\xfc\\x7f\\x00\\x00,v\\x11x\\xfc\\x7f\\x00\\x00@\\xaaO\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x10\\x00x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfdw\\xfc\\x7f\\x00\\x00\\xb1&\\x02x" } ], "repeated": 0, "id": 14534 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 14535 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6aa02000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14536 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6aa02000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14537 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14538 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache" } ], "repeated": 0, "id": 14539 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x10100080", "pretty_value": "GENERIC_ALL|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14540 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache" }, { "name": "FileInformationClass", "value": "74" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 14541 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 14542 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\" } ], "repeated": 0, "id": 14543 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14544 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000100", "pretty_value": "FILE_ATTRIBUTE_TEMPORARY" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14545 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" }, { "name": "FileInformationClass", "value": "28", "pretty_value": "FileCompressionInformation" }, { "name": "FileInformation", "value": "\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14546 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" }, { "name": "Buffer", "value": "EERF" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 14547 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14548 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000100", "pretty_value": "FILE_ATTRIBUTE_TEMPORARY" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14549 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" }, { "name": "FileInformationClass", "value": "28", "pretty_value": "FileCompressionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14550 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14551 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" }, { "name": "Buffer", "value": "\\xe06\\xb6G\\x0f\\xab\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 14552 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14553 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254982000" }, { "name": "RegionSize", "value": "0x0004c000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14554 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x8c\n\\x00\\x00f\\x06\\x00\\x00\\x02\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "65536" } ], "repeated": 0, "id": 14555 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14556 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000100", "pretty_value": "FILE_ATTRIBUTE_TEMPORARY" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14557 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a98" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" }, { "name": "FileInformationClass", "value": "28", "pretty_value": "FileCompressionInformation" }, { "name": "FileInformation", "value": "\\xb0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x0c\\x0c\\x00\\x00\\x00" } ], "repeated": 0, "id": 14558 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a98" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14559 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a98" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" }, { "name": "FileInformationClass", "value": "28", "pretty_value": "FileCompressionInformation" }, { "name": "FileInformation", "value": "\\xb0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x0c\\x0c\\x00\\x00\\x00" } ], "repeated": 1, "id": 14560 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6aa02000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14561 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6aa02000" }, { "name": "ModuleName", "value": "D3DSCache.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14562 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14563 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 14564 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000aa0" } ], "repeated": 0, "id": 14565 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14566 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xf8\\x11\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14567 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\x12\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00e\\x00" } ], "repeated": 0, "id": 14568 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14569 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8|\\xa5T\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14570 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14571 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18\\x13\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14572 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x92\\xb3\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00@\\x9dO\\x9e\\xf0\\x00\\x00\\x008\\x9dO\\x9e\\xf0\\x00\\x00\\x00\\x08\\x9dO\\x9e\\xf0\\x00\\x00\\x00(\\x9dO\\x9e" } ], "repeated": 0, "id": 14573 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x13\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00(\\x9bO\\x9e\\xf0\\x00\\x00\\x00\\xa0\n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14574 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14575 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xd8\\x16\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14576 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x17\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00urda" } ], "repeated": 0, "id": 14577 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14578 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "Xx\\xa5T\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14579 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14580 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X\\x18\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14581 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00r\\xb6\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\x99O\\x9e\\xf0\\x00\\x00\\x00\\x98\\x99O\\x9e\\xf0\\x00\\x00\\x00h\\x99O\\x9e\\xf0\\x00\\x00\\x00\\x88\\x99O\\x9e" } ], "repeated": 0, "id": 14582 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x18\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\x97O\\x9e\\xf0\\x00\\x00\\x00\\xa0\n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14583 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 14584 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 14585 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14586 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 14587 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a9c" } ], "repeated": 0, "id": 14588 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14589 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xf8\\x11\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14590 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\x12\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00e\\x00" } ], "repeated": 0, "id": 14591 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14592 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "H|\\xa5T\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14593 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14594 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18\\x13\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14595 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00r\\xb4\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\x9bO\\x9e\\xf0\\x00\\x00\\x00\\x98\\x9bO\\x9e\\xf0\\x00\\x00\\x00h\\x9bO\\x9e\\xf0\\x00\\x00\\x00\\x88\\x9bO\\x9e" } ], "repeated": 0, "id": 14596 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x13\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\x99O\\x9e\\xf0\\x00\\x00\\x00\\x9c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14597 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "j\\xc4\t\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xa4\\xd0\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14598 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xd8\\x16\\x8cT\\x92\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14599 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x17\\x8cT\\x92\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00urda" } ], "repeated": 0, "id": 14600 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14601 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xc8w\\xa5T\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 14602 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14603 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X\\x18\\x8cT\\x92\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 14604 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xd2\\xa8\\x1a\\xbdK\\xb4\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x00\\x98O\\x9e\\xf0\\x00\\x00\\x00\\xf8\\x97O\\x9e\\xf0\\x00\\x00\\x00\\xc8\\x97O\\x9e\\xf0\\x00\\x00\\x00\\xe8\\x97O\\x9e" } ], "repeated": 0, "id": 14605 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x18\\x8cT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\x95O\\x9e\\xf0\\x00\\x00\\x00\\x9c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 14606 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\x99O\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x9eO\\x9e\\xf0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\xbe'\\x84\\x81" } ], "repeated": 0, "id": 14607 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 14608 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "2" }, { "name": "TokenInformation", "value": "\\x0e\\x00\\x00\\x00\\xcdS\\x8aF\\x88h\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00\t\\x04\\x00\\x00\\xa4h\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00D\\x00i\\x00\\xb0h\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00t\\x00e\\x00\\xbch\\x92T\\x92\\x02\\x00\\x00\\x0f\\x00\\x00\\x00i\\x00n\\x00\\xcch\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00e\\x00 \\x00\\xdch\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00p\\x00e\\x00\\xe8h\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00n\\x00c\\x00\\xf4h\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00c\\x00t\\x00\\x00i\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00s\\x00t\\x00\\x0ci\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00o\\x00u\\x00\\x18i\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\xc0t\\x00h\\x00,i\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00i\\x00t\\x008i\\x92T\\x92\\x02\\x00\\x00\\x07\\x00\\x00\\x00 \\x00l\\x00Hi\\x92T\\x92\\x02\\x00\\x00`\\x00\\x00\\x00R\\x00T\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2" } ], "repeated": 0, "id": 14609 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 14610 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 14611 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14612 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" } ], "repeated": 0, "id": 14613 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70115000" }, { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14614 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70115000" }, { "name": "ModuleName", "value": "twinapi.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14615 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 14616 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a98" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "p\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14617 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a98" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x18\\x03\\x00\\x00(\\x00\\x00\\x00p\\x87DJ!\\x18IL\\x9e\\xdf\\xe4\\x8e\\xa9\\xd6\\xddZm\\xccF\\xe1\\xdd\\xac\\xd5\\x01\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "832" } ], "repeated": 0, "id": 14618 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 14619 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 14620 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dxilconv" }, { "name": "DllBase", "value": "0x7ffc5f430000" } ], "repeated": 0, "id": 14621 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5f430000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 14622 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a5e000" }, { "name": "RegionSize", "value": "0x00051000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14623 }, { "timestamp": "2026-05-28 22:01:58,615", "thread_id": "8604", "caller": "0x7ff6c28b4425", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14624 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a98" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" }, { "name": "FileInformationClass", "value": "28", "pretty_value": "FileCompressionInformation" }, { "name": "FileInformation", "value": "\\xb0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x0c\\x0c\\x00\\x00\\x00" } ], "repeated": 0, "id": 14625 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14626 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" }, { "name": "Buffer", "value": "KCOL" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 14627 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 14628 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 14629 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14630 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" }, { "name": "Buffer", "value": "EERF" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 14631 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 14632 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 14633 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 14634 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 14635 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a40" } ], "repeated": 0, "id": 14636 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 14637 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a48" } ], "repeated": 0, "id": 14638 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 14639 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 14640 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 14641 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 14642 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a5c" } ], "repeated": 0, "id": 14643 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 14644 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a64" } ], "repeated": 0, "id": 14645 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a68" } ], "repeated": 0, "id": 14646 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a6c" } ], "repeated": 0, "id": 14647 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a70" } ], "repeated": 0, "id": 14648 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 14649 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a78" } ], "repeated": 0, "id": 14650 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00803000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 14651 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14652 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14653 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14654 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14655 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14656 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14657 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14658 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14659 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14660 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14661 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14662 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14663 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14664 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f70000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14665 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a34" } ], "repeated": 0, "id": 14666 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14667 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlUnregisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804eec0" } ], "repeated": 0, "id": 14668 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlUnsubscribeWnfNotificationWaitForCompletion" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78032650" } ], "repeated": 0, "id": 14669 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\d3d10warp" }, { "name": "DllBase", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 14670 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b444b", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e3b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 14671 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DXCaptureReplay.dll" }, { "name": "ModuleHandle", "value": "0x29254ac47f0" } ], "repeated": 0, "id": 14672 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "DXCaptureReplay.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 14673 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc718dc000" }, { "name": "ModuleName", "value": "d3d11.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14674 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc718dc000" }, { "name": "ModuleName", "value": "d3d11.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14675 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14676 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a34" } ], "repeated": 0, "id": 14677 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 14678 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 14679 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 14680 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 14681 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 14682 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 14683 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "DXGI" }, { "name": "ModuleHandle", "value": "0x7ffc73f70000" } ], "repeated": 0, "id": 14684 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "dxgi.dll" }, { "name": "ModuleHandle", "value": "0x7ffc73f70000" }, { "name": "FunctionName", "value": "CompatValue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc73f7b680" } ], "repeated": 0, "id": 14685 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc718dc000" }, { "name": "ModuleName", "value": "d3d11.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14686 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc718dc000" }, { "name": "ModuleName", "value": "d3d11.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14687 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "gdi32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14688 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTRegisterTrimNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed5220" } ], "repeated": 0, "id": 14689 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTUnregisterTrimNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed5190" } ], "repeated": 0, "id": 14690 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTMakeResident" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55030" } ], "repeated": 0, "id": 14691 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTEvict" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54bf0" } ], "repeated": 0, "id": 14692 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTWaitForSynchronizationObjectFromCpu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55c70" } ], "repeated": 0, "id": 14693 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSignalSynchronizationObjectFromCpu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55a70" } ], "repeated": 0, "id": 14694 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTWaitForSynchronizationObjectFromGpu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55c90" } ], "repeated": 0, "id": 14695 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSignalSynchronizationObjectFromGpu" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55a90" } ], "repeated": 0, "id": 14696 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSignalSynchronizationObjectFromGpu2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55ab0" } ], "repeated": 0, "id": 14697 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreatePagingQueue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a548f0" } ], "repeated": 0, "id": 14698 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyPagingQueue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54ad0" } ], "repeated": 0, "id": 14699 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTLock2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55010" } ], "repeated": 0, "id": 14700 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTUnlock2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55bb0" } ], "repeated": 0, "id": 14701 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTInvalidateCache" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54fd0" } ], "repeated": 0, "id": 14702 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetResourcePresentPrivateDriverData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54eb0" } ], "repeated": 0, "id": 14703 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTReserveGpuVirtualAddress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55750" } ], "repeated": 0, "id": 14704 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTMapGpuVirtualAddress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55050" } ], "repeated": 0, "id": 14705 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTFreeGpuVirtualAddress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54c70" } ], "repeated": 0, "id": 14706 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTUpdateGpuVirtualAddress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55bf0" } ], "repeated": 0, "id": 14707 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateContextVirtual" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a547d0" } ], "repeated": 0, "id": 14708 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSubmitCommand" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55ad0" } ], "repeated": 0, "id": 14709 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenSyncObjectNtHandleFromName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55310" } ], "repeated": 0, "id": 14710 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenSyncObjectFromNtHandle2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a552f0" } ], "repeated": 0, "id": 14711 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyAllocation2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a549b0" } ], "repeated": 0, "id": 14712 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryVideoMemoryInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55630" } ], "repeated": 0, "id": 14713 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTChangeVideoMemoryReservation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54610" } ], "repeated": 0, "id": 14714 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTReclaimAllocations2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55670" } ], "repeated": 0, "id": 14715 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTPresentMultiPlaneOverlay2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55450" } ], "repeated": 0, "id": 14716 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCheckMultiPlaneOverlaySupport2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54690" } ], "repeated": 0, "id": 14717 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetStablePowerState" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55930" } ], "repeated": 0, "id": 14718 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryClockCalibration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a554f0" } ], "repeated": 0, "id": 14719 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTMarkDeviceAsError" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55070" } ], "repeated": 0, "id": 14720 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTFlushHeapTransitions" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54c50" } ], "repeated": 0, "id": 14721 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTUpdateAllocationProperty" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55bd0" } ], "repeated": 0, "id": 14722 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetAllocationPriority" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54c90" } ], "repeated": 0, "id": 14723 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOfferAllocations" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55130" } ], "repeated": 0, "id": 14724 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTReclaimAllocations" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55650" } ], "repeated": 0, "id": 14725 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTReleaseKeyedMutex2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a556b0" } ], "repeated": 0, "id": 14726 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTAcquireKeyedMutex2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54570" } ], "repeated": 0, "id": 14727 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenKeyedMutex2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a551f0" } ], "repeated": 0, "id": 14728 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateKeyedMutex2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54890" } ], "repeated": 0, "id": 14729 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOutputDuplPresent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a553b0" } ], "repeated": 0, "id": 14730 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryResourceInfoFromNtHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a555d0" } ], "repeated": 0, "id": 14731 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTShareObjects" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a559f0" } ], "repeated": 0, "id": 14732 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenNtHandleFromName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55230" } ], "repeated": 0, "id": 14733 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenResourceFromNtHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55290" } ], "repeated": 0, "id": 14734 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTPinDirectFlipResources" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed11c0" } ], "repeated": 0, "id": 14735 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTUnpinDirectFlipResources" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed1180" } ], "repeated": 0, "id": 14736 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetContextInProcessSchedulingPriority" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55790" } ], "repeated": 0, "id": 14737 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetContextInProcessSchedulingPriority" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54cd0" } ], "repeated": 0, "id": 14738 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenSyncObjectFromNtHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a552d0" } ], "repeated": 0, "id": 14739 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTPresentMultiPlaneOverlay" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55430" } ], "repeated": 0, "id": 14740 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCheckMultiPlaneOverlaySupport" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54670" } ], "repeated": 0, "id": 14741 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSignalSynchronizationObject2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55a50" } ], "repeated": 0, "id": 14742 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTWaitForSynchronizationObject2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55c50" } ], "repeated": 0, "id": 14743 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenSynchronizationObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55330" } ], "repeated": 0, "id": 14744 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateSynchronizationObject2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54950" } ], "repeated": 0, "id": 14745 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTReleaseKeyedMutex" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55690" } ], "repeated": 0, "id": 14746 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTAcquireKeyedMutex" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54550" } ], "repeated": 0, "id": 14747 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyKeyedMutex" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54a70" } ], "repeated": 0, "id": 14748 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenKeyedMutex" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a551d0" } ], "repeated": 0, "id": 14749 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateKeyedMutex" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54870" } ], "repeated": 0, "id": 14750 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenResource2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55270" } ], "repeated": 0, "id": 14751 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateAllocation2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54770" } ], "repeated": 0, "id": 14752 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTConfigureSharedResource" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54750" } ], "repeated": 0, "id": 14753 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetQueuedLimit" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55910" } ], "repeated": 0, "id": 14754 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetMultisampleMethodList" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54db0" } ], "repeated": 0, "id": 14755 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryAdapterInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a554b0" } ], "repeated": 0, "id": 14756 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetDisplayPrivateDriverFormat" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77edd550" } ], "repeated": 0, "id": 14757 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroySynchronizationObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54b10" } ], "repeated": 0, "id": 14758 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateSynchronizationObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed4cf0" } ], "repeated": 0, "id": 14759 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyContext" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a549d0" } ], "repeated": 0, "id": 14760 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateContext" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a547b0" } ], "repeated": 0, "id": 14761 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetContextSchedulingPriority" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54cf0" } ], "repeated": 0, "id": 14762 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetContextSchedulingPriority" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a557b0" } ], "repeated": 0, "id": 14763 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTPresent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55410" } ], "repeated": 0, "id": 14764 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyDevice" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54a10" } ], "repeated": 0, "id": 14765 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateDevice" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54810" } ], "repeated": 0, "id": 14766 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryAllocationResidency" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a554d0" } ], "repeated": 0, "id": 14767 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetAllocationPriority" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55770" } ], "repeated": 0, "id": 14768 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTDestroyAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54990" } ], "repeated": 0, "id": 14769 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTOpenResource" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed4680" } ], "repeated": 0, "id": 14770 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTQueryResourceInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a555b0" } ], "repeated": 0, "id": 14771 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCreateAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed3800" } ], "repeated": 0, "id": 14772 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTGetDeviceState" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54d30" } ], "repeated": 0, "id": 14773 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSetDisplayMode" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a557d0" } ], "repeated": 0, "id": 14774 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTSignalSynchronizationObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77edd570" } ], "repeated": 0, "id": 14775 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTWaitForSynchronizationObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77edd630" } ], "repeated": 0, "id": 14776 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTEscape" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54bd0" } ], "repeated": 0, "id": 14777 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTUnlock" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55b90" } ], "repeated": 0, "id": 14778 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTLock" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54ff0" } ], "repeated": 0, "id": 14779 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTRender" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a55730" } ], "repeated": 0, "id": 14780 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\d3d10warp" }, { "name": "DllBase", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 14781 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "d3d10warp.dll" }, { "name": "BaseAddress", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 14782 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6e3b0000", "arguments": [ { "name": "lpLibFileName", "value": "d3d10warp.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14783 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "d3d10warp.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6e3b0000" }, { "name": "FunctionName", "value": "OpenAdapter10_2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6e3fd230" } ], "repeated": 0, "id": 14784 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14785 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc718dc000" }, { "name": "ModuleName", "value": "d3d11.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14786 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc718dc000" }, { "name": "ModuleName", "value": "d3d11.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14787 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 14788 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 14789 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14790 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 14791 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14792 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a20" } ], "repeated": 0, "id": 14793 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a34" } ], "repeated": 0, "id": 14794 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlUnregisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804eec0" } ], "repeated": 0, "id": 14795 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlUnsubscribeWnfNotificationWaitForCompletion" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78032650" } ], "repeated": 0, "id": 14796 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\d3d10warp" }, { "name": "DllBase", "value": "0x7ffc6e3b0000" } ], "repeated": 0, "id": 14797 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b449a", "parentcaller": "0x7ff6c28cba3b", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e3b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 14798 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b4535", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 14799 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b4535", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77ed0000", "arguments": [ { "name": "lpLibFileName", "value": "gdi32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14800 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b4535", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "D3DKMTCloseAdapter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75a54730" } ], "repeated": 0, "id": 14801 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b459f", "parentcaller": "0x7ff6c28cba3b", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a18" }, { "name": "IoControlCode", "value": "0x0047080c" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 14802 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b459f", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a18" } ], "repeated": 0, "id": 14803 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b45d2", "parentcaller": "0x7ff6c28cba3b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\DEVOBJ" }, { "name": "DllBase", "value": "0x7ffc753d0000" } ], "repeated": 0, "id": 14804 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b45d2", "parentcaller": "0x7ff6c28cba3b", "category": "misc", "api": "SetupDiGetClassDevsW", "status": true, "return": "0x292548c2060", "arguments": [ { "name": "ClassGuid", "value": "4D36E968-E325-11CE-BFC1-08002BE10318" }, { "name": "Known", "value": "Display" } ], "repeated": 0, "id": 14805 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b588a", "parentcaller": "0x7ff6c28b4666", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000230" }, { "name": "IoControlCode", "value": "0x00470813" }, { "name": "InBuffer", "value": "H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf0O\\x9e\\xf0\\x00\\x00\\x00z\\x00\\x00\\x00\\xcb\\x93\\xb1`vR\\x0fM\\x96\\xfc\\xf1s\\xab\\xad>\\xc6\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00#\\x00\\x00\\xc0\\x08\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14806 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b58e2", "parentcaller": "0x7ff6c28b4666", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000230" }, { "name": "IoControlCode", "value": "0x00470813" }, { "name": "InBuffer", "value": "H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf0O\\x9e\\xf0\\x00\\x00\\x00z\\x00\\x00\\x00\\xcb\\x93\\xb1`vR\\x0fM\\x96\\xfc\\xf1s\\xab\\xad>\\xc6\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\t\\x00\\x00\\x00\\xb4`\\x00\\x00\\x00\\x00\\x00\\x00\\x83{\\xac\\xd6" } ], "repeated": 0, "id": 14807 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28d1377", "parentcaller": "0x7ff6c28d131e", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e5" } ], "repeated": 0, "id": 14808 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x1c\\xad\\xee)\\x00\\x00\\x00\\x00j9\\x91\\x12@\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 14809 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00$*\\x84~\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xac\\xd0\\x93\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x0bD\\xc2\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xac\\xd0\\x93\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00k\\xbfc7\\x12\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xb3\\xe1C\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa2hr~\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14810 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 14811 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 14812 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 14813 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 14814 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c2910b2c", "parentcaller": "0x7ff6c28bac26", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x8c\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 14815 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c2910b2c", "parentcaller": "0x7ff6c28bac26", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x8c\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "0\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14816 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "8604", "caller": "0x7ff6c28b79b3", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\dhcpcsvc6" }, { "name": "DllBase", "value": "0x7ffc6e0c0000" } ], "repeated": 0, "id": 14817 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 14818 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x98T3*\\x00\\x00\\x00\\x00.+\\xdd\\x12@\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 14819 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 14820 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28b50a7", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DPA_DestroyCallback" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e8e470" } ], "repeated": 0, "id": 14821 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254af0000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 14822 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28dbfb9", "parentcaller": "0x7ff6c28c78e8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a5e000" }, { "name": "RegionSize", "value": "0x00051000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14823 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14824 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 14825 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28dbfb9", "parentcaller": "0x7ff6c28c78e8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a33000" }, { "name": "RegionSize", "value": "0x00029000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14826 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28dbfb9", "parentcaller": "0x7ff6c28c78e8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292549a8000" }, { "name": "RegionSize", "value": "0x00023000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14827 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925498e000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14828 }, { "timestamp": "2026-05-28 22:01:58,631", "thread_id": "5448", "caller": "0x7ff6c28dbfb9", "parentcaller": "0x7ff6c28c78e8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254982000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14829 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28dbfb9", "parentcaller": "0x7ff6c28c78e8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a05000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14830 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28dbfb9", "parentcaller": "0x7ff6c28c78e8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292541f5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14831 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28dbfb9", "parentcaller": "0x7ff6c28c78e8", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ac5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 14832 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00j\\xc0a\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00v\\xddA\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa4\\xa8\\x86~\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x0e\\xd7\\x93\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00h\\xb6:\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\"\\xe7t~\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x12\\xd7\\x93\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 14833 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bz\\xc3\\x88\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xbe+\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14834 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 14835 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\ntoskrnl.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 14836 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x01046000" } ], "repeated": 0, "id": 14837 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\ntoskrnl.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 14838 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x01046000" } ], "repeated": 0, "id": 14839 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "336" } ], "repeated": 0, "id": 14840 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b79b3", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\dhcpcsvc" }, { "name": "DllBase", "value": "0x7ffc6e0a0000" } ], "repeated": 0, "id": 14841 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007c4" } ], "repeated": 0, "id": 14842 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007c8" } ], "repeated": 0, "id": 14843 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007cc" } ], "repeated": 0, "id": 14844 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d8" } ], "repeated": 0, "id": 14845 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007dc" } ], "repeated": 0, "id": 14846 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007e0" } ], "repeated": 0, "id": 14847 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007e4" } ], "repeated": 0, "id": 14848 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007e8" } ], "repeated": 0, "id": 14849 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007ec" } ], "repeated": 0, "id": 14850 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007f0" } ], "repeated": 0, "id": 14851 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007f4" } ], "repeated": 0, "id": 14852 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007f8" } ], "repeated": 0, "id": 14853 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007fc" } ], "repeated": 0, "id": 14854 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" } ], "repeated": 0, "id": 14855 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d0" } ], "repeated": 0, "id": 14856 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "336" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smss.exe" } ], "repeated": 0, "id": 14857 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14858 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "336" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smss.exe" } ], "repeated": 0, "id": 14859 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14860 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "2155FEE3-2419-4373-B102-6843707EB41F" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "F676C15D-596A-4CE2-8234-33996F445DB1" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 14861 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" } ], "repeated": 0, "id": 14862 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 14863 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin" } ], "repeated": 0, "id": 14864 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14865 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 14866 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" } ], "repeated": 0, "id": 14867 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14868 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "CreateDirectoryW", "status": false, "return": "0x00000000", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 14869 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14870 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14871 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xc7\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xcc\\xdf\\x9d\\xf0\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xc2T\\xbf3\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xfa!\\x07Ou\\xc0\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14872 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007bc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterMutex" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14873 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14874 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14875 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14876 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xc7\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xcc\\xdf\\x9d\\xf0\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xc2T\\xbf3\\xfc\\x7f\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\xfa!\\x07Ou\\xc0\\x00\\x00\\x1c\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14877 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateEvent", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007fc" }, { "name": "EventName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterEvent" }, { "name": "EventType", "value": "0" }, { "name": "InitialState", "value": "0" } ], "repeated": 0, "id": 14878 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14879 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14880 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14881 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14882 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14883 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007f8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_16.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14884 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14885 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14886 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14887 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b79b3", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14888 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14889 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14890 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007f4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_32.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14891 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14892 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14893 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b79b3", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14894 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14895 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14896 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14897 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007f0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_48.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14898 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14899 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14900 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14901 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14902 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14903 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007ec" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_96.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14904 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14905 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14906 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14907 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14908 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14909 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007e8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_256.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14910 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14911 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546e0000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 14912 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14913 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b8" } ], "repeated": 0, "id": 14914 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007c0" } ], "repeated": 0, "id": 14915 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14916 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1276", "caller": "0x7ff6c28dd1db", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007b4" } ], "repeated": 0, "id": 14917 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14918 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14919 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007e4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_768.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14920 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14921 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14922 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14923 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14924 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14925 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007e0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_1280.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14926 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14927 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14928 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14929 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14930 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14931 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007dc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_1920.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14932 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14933 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14934 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14935 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14936 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14937 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007d8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_2560.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14938 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14939 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14940 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14941 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14942 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14943 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007cc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_sr.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14944 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14945 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14946 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14947 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14948 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14949 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007c8" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14950 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14951 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14952 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14953 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14954 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14955 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000007c4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_exif.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14956 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14957 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14958 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14959 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14960 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14961 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide_alternate.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14962 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14963 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14964 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14965 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14966 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xce\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x19\\xecP\\x92\\x02\\x00\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecP\\x92\\x02\\x00\\x00\\xcc\\x02\\xecP\\x92\\x02\\x00\\x00\\xc9\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x0c\\xecP\\x92\\x02\\x00\\x00\\xae\\x7f\\x14\\x82\\x8b\\xe9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14967 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000008f4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_custom_stream.db!dfMaintainer" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14968 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14969 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14970 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14971 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14972 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xcf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x00m\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x13\\xc1\n]\\\\x06\\x00\\x00\\xa0\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88e._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xdc\\xdf\\x9d\\xf0\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\xf0\\xd0\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x04\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\xaa._\\xfc\\x7f\\x00\\x00\\xa71+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14973 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000a70" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!IconCacheInit" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14974 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14975 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000808" } ], "repeated": 0, "id": 14976 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\IconCacheToDelete" } ], "repeated": 0, "id": 14977 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache" } ], "repeated": 0, "id": 14978 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14979 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b79b3", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 3, "id": 14980 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b79b3", "parentcaller": "0x7ff6c28bd257", "category": "network", "api": "GetAdaptersAddresses", "status": false, "return": "0x0000006f", "arguments": [], "repeated": 0, "id": 14981 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "74" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 14982 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14983 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a5c" } ], "repeated": 0, "id": 14984 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 14985 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 14986 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a5c" } ], "repeated": 0, "id": 14987 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14988 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 14989 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000808" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" } ], "repeated": 0, "id": 14990 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546e0000" }, { "name": "SectionOffset", "value": "0xf09ddfd3f0" }, { "name": "ViewSize", "value": "0x00008000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 14991 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14992 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 14993 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 14994 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 14995 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\xda7\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 14996 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7a12", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 14997 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 14998 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7a12", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14999 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 15000 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7a12", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 15001 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a5c" } ], "repeated": 0, "id": 15002 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000808" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000a5c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 15003 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000804" } ], "repeated": 0, "id": 15004 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7a12", "parentcaller": "0x7ff6c28bd257", "category": "network", "api": "GetAdaptersAddresses", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 15005 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7aa4", "parentcaller": "0x7ff6c28bd257", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xdb'N\\x92\\x02\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xdb'N\\x92\\x02\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15006 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7aa4", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15007 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7aa4", "parentcaller": "0x7ff6c28bd257", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15008 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7aa4", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15009 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7aa4", "parentcaller": "0x7ff6c28bd257", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xedO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00p\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xe8O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xedO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00p\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xe8O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15010 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7aa4", "parentcaller": "0x7ff6c28bd257", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15011 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" } ], "repeated": 0, "id": 15012 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 15013 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000804" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15014 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 15015 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7c33", "parentcaller": "0x7ff6c28b7b43", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xe4O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xecO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xe4O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe7O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xe4O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xecO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xe4O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe7O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15016 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15017 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b7c33", "parentcaller": "0x7ff6c28b7b43", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15018 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15019 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b8829", "parentcaller": "0x7ff6c28b856a", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a58" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15020 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 15021 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000804" } ], "repeated": 0, "id": 15022 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "634" }, { "name": "y", "value": "403" } ], "repeated": 0, "id": 15023 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b85c2", "parentcaller": "0x7ff6c28b7cdf", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a58" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x002\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00L@\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00G@\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xcca1\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x93\\xf9C\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00@\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15024 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b85d9", "parentcaller": "0x7ff6c28b7cdf", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15025 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b83c1", "parentcaller": "0x7ff6c28b7ded", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000105", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012001b" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15026 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b83c1", "parentcaller": "0x7ff6c28b7ded", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15027 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b83c1", "parentcaller": "0x7ff6c28b7ded", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012001b" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xf7\\x86T\\x92\\x02\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x89\\xacT\\x92\\x02\\x00\\x008\\x02\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\xf7\\x86T\\x92\\x02\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x89\\xacT\\x92\\x02\\x00\\x008\\x02\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15028 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b83c1", "parentcaller": "0x7ff6c28b7ded", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15029 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b83c1", "parentcaller": "0x7ff6c28b7ded", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xecO\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xecO\\x9e\\xf0\\x00\\x00\\x00\\x04\\x02\\x00\\x00\\x14\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xecO\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xecO\\x9e\\xf0\\x00\\x00\\x00\\x04\\x02\\x00\\x00\\x14\\x00\\x00\\x00" } ], "repeated": 0, "id": 15030 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28b83c1", "parentcaller": "0x7ff6c28b7ded", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15031 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 15032 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "wkscli.dll" } ], "repeated": 0, "id": 15033 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15034 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15035 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15036 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15037 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15038 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15039 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15040 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a58" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wkscli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15041 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15042 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15043 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15044 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15045 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15046 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000804" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a58" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wkscli.dll" } ], "repeated": 0, "id": 15047 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15048 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 15049 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000804" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747d0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00019000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15050 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15051 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15052 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15053 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747e6000" }, { "name": "ModuleName", "value": "wkscli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15054 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15055 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747df000" }, { "name": "ModuleName", "value": "wkscli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15056 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15057 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747df000" }, { "name": "ModuleName", "value": "wkscli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15058 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15059 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747df000" }, { "name": "ModuleName", "value": "wkscli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15060 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15061 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747df000" }, { "name": "ModuleName", "value": "wkscli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15062 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15063 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747df000" }, { "name": "ModuleName", "value": "wkscli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15064 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15065 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15066 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000804" } ], "repeated": 0, "id": 15067 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15068 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a58" } ], "repeated": 0, "id": 15069 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15070 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15071 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747df000" }, { "name": "ModuleName", "value": "wkscli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15072 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wkscli" }, { "name": "DllBase", "value": "0x7ffc747d0000" } ], "repeated": 0, "id": 15073 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15074 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15075 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15076 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 15077 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15078 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15079 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15080 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15081 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15082 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15083 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15084 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15085 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15086 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15087 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15088 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15089 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15090 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15091 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15092 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15093 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15094 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15095 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15096 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15097 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 15098 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15099 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15100 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15101 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15102 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15103 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15104 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15105 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15106 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15107 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15108 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15109 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15110 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15111 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15112 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15113 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15114 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15115 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15116 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15117 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15118 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 15119 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15120 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wkscli" }, { "name": "BaseAddress", "value": "0x7ffc747d0000" }, { "name": "InitRoutine", "value": "0x7ffc747d1e70" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 15121 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15122 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 15123 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc5f2aa73c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15124 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e161d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15125 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15126 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "misc", "api": "GetComputerNameExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ComputerName", "value": "JOHNS-PC" } ], "repeated": 0, "id": 15127 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15128 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15129 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15130 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\PIPE\\wkssvc" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15131 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15132 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15133 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15134 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15135 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a4c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15136 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "633" }, { "name": "y", "value": "401" } ], "repeated": 0, "id": 15137 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15138 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15139 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15140 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 15141 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15142 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15143 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15144 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15145 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15146 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15147 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "41", "pretty_value": "FileIoStatusBlockRangeInformation" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 15148 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15149 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xde\\x9fT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15150 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15151 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15152 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows NT\\Rpc" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc" } ], "repeated": 0, "id": 15153 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15154 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "Buffer", "value": "\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x98\\xd0\\xffk\\x12\\xa1\\x106\\x983F\\xc3\\xf8~4Z\\x01\\x00\\x00\\x00\\x04]\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x98\\xd0\\xffk\\x12\\xa1\\x106\\x983F\\xc3\\xf8~4Z\\x01\\x00\\x00\\x003\\x05qq\\xba\\xbe7I\\x83\\x19\\xb5\\xdb\\xef\\x9c\\xcc6\\x01\\x00\\x00\\x00\\x02\\x00\\x01\\x00\\x98\\xd0\\xffk\\x12\\xa1\\x106\\x983F\\xc3\\xf8~4Z\\x01\\x00\\x00\\x00,\\x1c\\xb7l\\x12\\x98@E\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00" }, { "name": "Length", "value": "160" } ], "repeated": 0, "id": 15155 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15156 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28deafe", "parentcaller": "0x7ff6c28b7f5a", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\wkssvc" }, { "name": "Buffer", "value": "" }, { "name": "Length", "value": "2826088480768" } ], "repeated": 0, "id": 15157 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15158 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15159 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15160 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15161 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15162 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15163 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a4c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15164 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15165 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15166 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15167 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15168 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15169 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15170 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15171 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15172 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15173 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15174 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15175 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15176 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15177 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15178 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15179 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a48" } ], "repeated": 0, "id": 15180 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15181 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15182 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15183 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15184 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15185 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15186 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15187 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a4c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15188 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc771d19e2", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a48" } ], "repeated": 0, "id": 15189 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15190 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a48" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15191 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15192 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15193 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15194 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15195 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15196 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15197 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15198 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15199 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15200 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a48" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x005\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00S@\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00N@\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x0f\\x911\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00X\\xfbC\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00@\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15201 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ffc756e6785", "parentcaller": "0x7ff6c28bcdab", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a48" } ], "repeated": 0, "id": 15202 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15203 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28c1c8f", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00f\\xde]\\x00\\x00\\x00\\x00\\x00\\xb8M\\x08\\x00\\x00\\x00\\x00b\\xd0\\xb8\\x0f\\x00\\x00\\x00\\x00)\\xc0i\\x10\\x00\\x00\\x00\\x00\\x9e+J\\x19\\x00\\x00\\x00\\x00\\xccd\\x00\\x00\\xcf\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x03\\x00\\x004\\xf5\\xd2\\x9a\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15204 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15205 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00f\\xde]\\x00\\x00\\x00\\x00\\x00\\xb8M\\x08\\x00\\x00\\x00\\x00b\\xd0\\xb8\\x0f\\x00\\x00\\x00\\x00)\\xc0i\\x10\\x00\\x00\\x00\\x00g,J\\x19\\x00\\x00\\x00\\x00\\xccd\\x00\\x00\\xcf\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x03\\x00\\x004\\xf5\\xd2\\x9a\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15206 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15207 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 15208 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15209 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 15210 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15211 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15212 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15213 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 15214 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15215 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a4c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15216 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xc8A\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x12\\x00\\x00 \\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 15217 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x06\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\x88\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00W\\x00" } ], "repeated": 0, "id": 15218 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15219 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15220 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15221 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ac5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15222 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15223 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15224 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "8604", "caller": "0x7ff6c28ca467", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292541f5000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15225 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15226 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00E\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00c\\x00h\\x00e\\x00_\\x001\\x006\\x00.\\x00d\\x00b\\x00\\x00\\x00\\x18\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00P\\x00\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x10\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec" } ], "repeated": 0, "id": 15227 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15228 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15229 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15230 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15231 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15232 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15233 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15234 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x84\\xd93\\xfc\\x7f\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15235 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15236 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15237 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15238 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15239 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a4c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15240 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15241 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h8\\xfc\\x7f\\x00\\x00L\n\\x00\\x00\\x00\\x00\\x00\\x00L\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81|\\xd93\\xfc\\x7f\\x00\\x00(\\x8b\\xd93\\xfc\\x7f\\x00\\x00L\n\\x00\\x00\\x00\\x00\\x00\\x00L\n\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00L\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15242 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15243 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15244 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15245 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15246 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15247 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15248 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00X8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15249 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15250 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15251 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15252 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15253 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15254 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15255 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h8\\xfc\\x7f\\x00\\x00P\n\\x00\\x00\\x00\\x00\\x00\\x00P\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81|\\xd93\\xfc\\x7f\\x00\\x00(\\x8b\\xd93\\xfc\\x7f\\x00\\x00P\n\\x00\\x00\\x00\\x00\\x00\\x00P\n\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00P\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15256 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15257 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15258 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15259 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a4c" } ], "repeated": 0, "id": 15260 }, { "timestamp": "2026-05-28 22:01:58,646", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15261 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "74" }, { "name": "FileInformation", "value": "\\x02\\x00\\x00\\x00" } ], "repeated": 0, "id": 15262 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15263 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a48" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" } ], "repeated": 0, "id": 15264 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 15265 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15266 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a40" } ], "repeated": 0, "id": 15267 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd3\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x92\\x02\\x00\\x00\\x90\\x84\\xd93\\xfc\\x7f\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88>\\x18T\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15268 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15269 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "632" }, { "name": "y", "value": "400" } ], "repeated": 0, "id": 15270 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a40" } ], "repeated": 0, "id": 15271 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15272 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15273 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 15274 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15275 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a44" } ], "repeated": 0, "id": 15276 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd3\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\r\\xecP\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88>\\x18T\\x92\\x02\\x00\\x00\\xea0\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15277 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a40" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15278 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15279 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15280 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a40" } ], "repeated": 0, "id": 15281 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a48" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254af0000" }, { "name": "SectionOffset", "value": "0xf09ddfd370" }, { "name": "ViewSize", "value": "0x00100000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15282 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000a4c" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000a40" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 15283 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15284 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15285 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15286 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15287 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15288 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15289 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15290 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15291 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15292 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15293 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 15294 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xc3\\xe8S\\x92\\x02\\x00\\x00\\xda7\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15295 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15296 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15297 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15298 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15299 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15300 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a44" } ], "repeated": 0, "id": 15301 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xab._\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15302 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15303 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15304 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15305 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15306 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15307 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15308 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15309 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15310 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15311 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15312 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15313 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15314 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\smss.exe" } ], "repeated": 1, "id": 15315 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\smss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15316 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\smss.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15317 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00028000" } ], "repeated": 0, "id": 15318 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 15319 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15320 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15321 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15322 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a44" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 15323 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15324 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15325 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SystemResources\\imageres.dll.mui.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15326 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15327 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 15328 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15329 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15330 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 15331 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15332 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 15333 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15334 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15335 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15336 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 15337 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15338 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15339 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15340 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 15341 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\smss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15342 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15343 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smss.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15344 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a44" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smss.exe.mui" } ], "repeated": 0, "id": 15345 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255750000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15346 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15347 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255750000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15348 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15349 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00028000" } ], "repeated": 0, "id": 15350 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\smss.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15351 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15352 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smss.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15353 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a44" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smss.exe.mui" } ], "repeated": 0, "id": 15354 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255750000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15355 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15356 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255750000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15357 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15358 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00028000" } ], "repeated": 0, "id": 15359 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "336" } ], "repeated": 0, "id": 15360 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "336" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smss.exe" } ], "repeated": 0, "id": 15361 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 15362 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15363 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`G\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15364 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15365 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15366 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "500" } ], "repeated": 0, "id": 15367 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "500" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wininit.exe" } ], "repeated": 0, "id": 15368 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15369 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "500" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wininit.exe" } ], "repeated": 0, "id": 15370 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15371 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15372 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 15373 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xd0[\\xacT\\x92\\x02\\x00\\x00\\x10\\xd1\\xefS\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8f\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15374 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15375 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15376 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15377 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15378 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15379 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15380 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a44" } ], "repeated": 0, "id": 15381 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15382 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15383 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 15384 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15385 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15386 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wininit.exe" } ], "repeated": 1, "id": 15387 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\wininit.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15388 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\wininit.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15389 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0006a000" } ], "repeated": 0, "id": 15390 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "627" }, { "name": "y", "value": "397" } ], "repeated": 0, "id": 15391 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 0, "id": 15392 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 15393 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 0, "id": 15394 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15395 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15396 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15397 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 15398 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15399 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15400 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15401 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 15402 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15403 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15404 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15405 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 15406 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15407 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15408 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15409 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 15410 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15411 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15412 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15413 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 15414 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wininit.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15415 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15416 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\wininit.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15417 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\wininit.exe.mui" } ], "repeated": 0, "id": 15418 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255790000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15419 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15420 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255790000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 15421 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15422 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0006a000" } ], "repeated": 0, "id": 15423 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wininit.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15424 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15425 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\wininit.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15426 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\wininit.exe.mui" } ], "repeated": 0, "id": 15427 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255790000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15428 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15429 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255790000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 15430 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15431 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0006a000" } ], "repeated": 0, "id": 15432 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "500" } ], "repeated": 0, "id": 15433 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "500" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wininit.exe" } ], "repeated": 0, "id": 15434 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 15435 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15436 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd3b\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15437 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15438 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15439 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "592" } ], "repeated": 0, "id": 15440 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "592" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\services.exe" } ], "repeated": 0, "id": 15441 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15442 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "592" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\services.exe" } ], "repeated": 0, "id": 15443 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15444 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15445 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 15446 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15447 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15448 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15449 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15450 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15451 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15452 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15453 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15454 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15455 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15456 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15457 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15458 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15459 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\services.exe" } ], "repeated": 1, "id": 15460 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\services.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15461 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\services.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15462 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x000b0000" } ], "repeated": 0, "id": 15463 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 15464 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15465 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15466 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15467 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 15468 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15469 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15470 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15471 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 15472 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15473 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15474 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15475 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 15476 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15477 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15478 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15479 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 15480 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15481 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15482 }, { "timestamp": "2026-05-28 22:01:58,662", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15483 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 15484 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\services.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15485 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15486 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\services.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15487 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\services.exe.mui" } ], "repeated": 0, "id": 15488 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15489 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15490 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557d0000" }, { "name": "RegionSize", "value": "0x00005000" } ], "repeated": 0, "id": 15491 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15492 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x000b0000" } ], "repeated": 0, "id": 15493 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\services.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15494 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15495 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\services.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15496 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\services.exe.mui" } ], "repeated": 0, "id": 15497 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15498 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15499 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557d0000" }, { "name": "RegionSize", "value": "0x00005000" } ], "repeated": 0, "id": 15500 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15501 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x000b0000" } ], "repeated": 0, "id": 15502 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "592" } ], "repeated": 0, "id": 15503 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "592" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\services.exe" } ], "repeated": 0, "id": 15504 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15505 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15506 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1g\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15507 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15508 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15509 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\lsass.exe" } ], "repeated": 0, "id": 15510 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15511 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\lsass.exe" } ], "repeated": 0, "id": 15512 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15513 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\lsass.exe" } ], "repeated": 0, "id": 15514 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15515 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15516 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15517 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x91\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15518 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15519 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15520 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15521 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15522 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15523 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15524 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 15525 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15526 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15527 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15528 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15529 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15530 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\lsass.exe" } ], "repeated": 1, "id": 15531 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\lsass.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15532 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\lsass.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15533 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00012000" } ], "repeated": 0, "id": 15534 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 15535 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15536 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15537 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15538 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 15539 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15540 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15541 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15542 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 15543 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15544 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 15545 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15546 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 15547 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15548 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15549 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15550 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 15551 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15552 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15553 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15554 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 15555 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\lsass.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15556 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00012000" } ], "repeated": 0, "id": 15557 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\lsass.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15558 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00012000" } ], "repeated": 0, "id": 15559 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\lsass.exe" } ], "repeated": 0, "id": 15560 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x7d2856a000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xa9W\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x900\\xa0\\xbe\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\xbe\\x8b\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x7f\\xbe\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b,\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x8b,\\xf4}\\x00\\x00\\x00\\x00\\x9f.\\xf5}\\x00\\x00(\\x02\\xa0.\\xf5}\\x00\\x00P\\x06\\xa1.\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15561 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x18bbea03090" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ":\\x07\\x00\\x00:\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00@<\\xa0\\xbe\\x8b\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\xd86\\xa0\\xbe\\x8b\\x01\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\x147\\xa0\\xbe\\x8b\\x01\\x00\\x00\\xf0'\\xa0\\xbe\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00P7\\xa0\\xbe\\x8b\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x8c7\\xa0\\xbe\\x8b\\x01\\x00\\x00:\\x00<\\x00\\x00\\x00\\x00\\x00\\x8e7\\xa0\\xbe\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15562 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x18bbea03714" }, { "name": "Size", "value": "0x0000003a" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00l\\x00s\\x00a\\x00s\\x00s\\x00.\\x00e\\x00x\\x00e\\x00" } ], "repeated": 0, "id": 15563 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15564 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\lsass.exe" } ], "repeated": 0, "id": 15565 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15566 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15567 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00@k\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15568 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15569 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15570 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 0, "id": 15571 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15572 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\fontdrvhost.exe" } ], "repeated": 0, "id": 15573 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15574 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "860" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15575 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15576 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "860" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15577 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15578 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "860" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15579 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15580 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15581 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15582 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15583 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15584 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15585 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15586 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15587 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15588 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15589 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15590 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15591 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15592 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15593 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15594 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15595 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15596 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15597 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15598 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "860" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15599 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x8090d36000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02@\\x96'\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x96'\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x96'\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x01\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07J\\x01\\xf4}\\x00\\x00\\x00\\x00^\\x03\\xf5}\\x00\\x00(\\x02_\\x03\\xf5}\\x00\\x00P\\x06`\\x03\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15600 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x227964032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "$\\x07\\x00\\x00$\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90>@\\x96'\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089@\\x96'\\x02\\x00\\x00V\\x00X\\x00\\x00\\x00\\x00\\x00x9@\\x96'\\x02\\x00\\x00\\xf0'@\\x96'\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xd09@\\x96'\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x10:@\\x96'\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x12:@\\x96'\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15601 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x22796403978" }, { "name": "Size", "value": "0x00000056" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00R\\x00P\\x00C\\x00S\\x00S\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 15602 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15603 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "860" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15604 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15605 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15606 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\xc0\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15607 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15608 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15609 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "984" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dwm.exe" } ], "repeated": 0, "id": 15610 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15611 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "984" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dwm.exe" } ], "repeated": 0, "id": 15612 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15613 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "984" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dwm.exe" } ], "repeated": 0, "id": 15614 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15615 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15616 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 15617 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15618 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15619 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15620 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15621 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15622 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15623 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 15624 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15625 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 15626 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 15627 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15628 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15629 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15630 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\dwm.exe" } ], "repeated": 1, "id": 15631 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\dwm.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15632 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\dwm.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15633 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0001f000" } ], "repeated": 0, "id": 15634 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 15635 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15636 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15637 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15638 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 15639 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15640 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15641 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15642 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 15643 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15644 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15645 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15646 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 15647 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 15648 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15649 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x29255720002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 15650 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 15651 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15652 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15653 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15654 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 15655 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\dwm.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15656 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15657 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\dwm.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15658 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\dwm.exe.mui" } ], "repeated": 0, "id": 15659 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15660 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15661 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 15662 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15663 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0001f000" } ], "repeated": 0, "id": 15664 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\dwm.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15665 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15666 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\dwm.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15667 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\dwm.exe.mui" } ], "repeated": 0, "id": 15668 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00002000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15669 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15670 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "RegionSize", "value": "0x00002000" } ], "repeated": 0, "id": 15671 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15672 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0001f000" } ], "repeated": 0, "id": 15673 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "984" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dwm.exe" } ], "repeated": 0, "id": 15674 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x57ad181000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xcd\\xd4\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x18\\x01\\xaai\\x01\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00\\x01\\xaai\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xef\\xa9i\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb3\\x80\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xb3\\x80\\xf4}\\x00\\x00\\x00\\x00\\xc7\\x82\\xf5}\\x00\\x00(\\x02\\xc8\\x82\\xf5}\\x00\\x00P\\x06\\xc9\\x82\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00?\\xaai\\x01\\x00\\x00" } ], "repeated": 0, "id": 15675 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x169aa011880" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xc6\\x06\\x00\\x00\\xc6\\x06\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0#\\x01\\xaai\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x00\\x00\\x00\\x00\\xc8\\x1e\\x01\\xaai\\x01\\x00\\x00\\x12\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x01\\xaai\\x01\\x00\\x00\\xe0\\x0f\\x01\\xaai\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x14\\x1f\\x01\\xaai\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00$\\x1f\\x01\\xaai\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00D\\x1f\\x01\\xaai\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15676 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x169aa011f00" }, { "name": "Size", "value": "0x00000012" }, { "name": "Buffer", "value": "\"\\x00d\\x00w\\x00m\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00" } ], "repeated": 0, "id": 15677 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15678 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "984" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dwm.exe" } ], "repeated": 0, "id": 15679 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15680 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15681 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\xcc\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15682 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15683 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15684 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "492" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15685 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15686 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "492" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15687 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15688 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "492" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15689 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15690 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15691 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15692 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15693 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15694 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15695 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15696 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15697 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15698 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15699 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15700 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15701 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15702 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15703 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15704 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15705 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15706 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15707 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15708 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "492" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15709 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xfae18fa000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\x00\\xc5\\xcf\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xc4\\xcf\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\xc4\\xcf\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00v\\x9c\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07v\\x9c\\xf4}\\x00\\x00\\x00\\x00\\x8a\\x9e\\xf5}\\x00\\x00(\\x02\\x8b\\x9e\\xf5}\\x00\\x00P\\x06\\x8c\\x9e\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00P\\xc5\\xcf\\x02\\x00\\x00" } ], "repeated": 0, "id": 15710 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2cfc5003270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ">\\x07\\x00\\x00>\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\x00\\xc5\\xcf\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\x00\\xc5\\xcf\\x02\\x00\\x00p\\x00r\\x00\\x00\\x00\\x00\\x00\\xf88\\x00\\xc5\\xcf\\x02\\x00\\x00\\xf0'\\x00\\xc5\\xcf\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00j9\\x00\\xc5\\xcf\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9\\x00\\xc5\\xcf\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xac9\\x00\\xc5\\xcf\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15711 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2cfc50038f8" }, { "name": "Size", "value": "0x00000070" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00w\\x00l\\x00i\\x00d\\x00s\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 15712 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15713 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "492" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15714 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15715 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15716 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\xd9\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15717 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15718 }, { "timestamp": "2026-05-28 22:01:58,678", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15719 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "560" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15720 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15721 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "560" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15722 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15723 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "560" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15724 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15725 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15726 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15727 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15728 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15729 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15730 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15731 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15732 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15733 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15734 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15735 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15736 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15737 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15738 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15739 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15740 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15741 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15742 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15743 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "560" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15744 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xe016f3000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2`\"\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00G\"\\x8b\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\"\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1aN\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x1aN\\xf4}\\x00\\x00\\x00\\x00.P\\xf5}\\x00\\x00(\\x02/P\\xf5}\\x00\\x00P\\x060P\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xa0\"\\x8b\\x01\\x00\\x00" } ], "repeated": 0, "id": 15745 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x18b22603270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "<\\x07\\x00\\x00<\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >`\"\\x8b\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88`\"\\x8b\\x01\\x00\\x00n\\x00p\\x00\\x00\\x00\\x00\\x00\\xf88`\"\\x8b\\x01\\x00\\x00\\xf0'`\"\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00h9`\"\\x8b\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa89`\"\\x8b\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9`\"\\x8b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15746 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x18b226038f8" }, { "name": "Size", "value": "0x0000006e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00D\\x00s\\x00m\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 15747 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15748 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "560" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15749 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15750 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15751 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\xda\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15752 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15753 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15754 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1072" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15755 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15756 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1072" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15757 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15758 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1072" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15759 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15760 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15761 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15762 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15763 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15764 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15765 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15766 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15767 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15768 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15769 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15770 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15771 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15772 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15773 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15774 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15775 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15776 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15777 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15778 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1072" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15779 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x605baeb000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xe0(\\\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5(\\\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0(\\\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x1f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c}\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x0c}\\xf4}\\x00\\x00\\x00\\x00 \\x7f\\xf5}\\x00\\x00(\\x02!\\x7f\\xf5}\\x00\\x00P\\x06\"\\x7f\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00 )\\\\x02\\x00\\x00" } ], "repeated": 0, "id": 15780 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x25c28e032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "j\\x07\\x00\\x00j\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xd0>\\xe0(\\\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xe0(\\\\x02\\x00\\x00\\x9c\\x00\\x9e\\x00\\x00\\x00\\x00\\x00x9\\xe0(\\\\x02\\x00\\x00\\xf0'\\xe0(\\\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x16:\\xe0(\\\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00V:\\xe0(\\\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00X:\\xe0(\\\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15781 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x25c28e03978" }, { "name": "Size", "value": "0x0000009c" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00l\\x00m\\x00h\\x00o\\x00s\\x00t\\x00s\\x00" } ], "repeated": 0, "id": 15782 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15783 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1072" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15784 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15785 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15786 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc2\\xe1\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15787 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15788 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15789 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1172" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15790 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15791 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1172" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15792 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15793 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1172" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15794 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15795 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15796 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15797 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15798 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15799 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15800 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15801 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15802 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15803 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15804 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15805 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15806 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15807 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15808 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15809 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15810 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15811 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15812 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15813 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1172" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15814 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xeeb4029000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02`\\xd2\\xed\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\xd2\\xed\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00U\\xd2\\xed\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff?\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x01\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07b\\x01\\xf4}\\x00\\x00\\x00\\x00v\\x03\\xf5}\\x00\\x00(\\x02w\\x03\\xf5}\\x00\\x00P\\x06x\\x03\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xad\\xd2\\xed\\x02\\x00\\x00" } ], "repeated": 0, "id": 15815 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2edd26032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "l\\x07\\x00\\x00l\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xd0>`\\xd2\\xed\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089`\\xd2\\xed\\x02\\x00\\x00\\x9e\\x00\\xa0\\x00\\x00\\x00\\x00\\x00x9`\\xd2\\xed\\x02\\x00\\x00\\xf0'`\\xd2\\xed\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x18:`\\xd2\\xed\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00X:`\\xd2\\xed\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00Z:`\\xd2\\xed\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15816 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2edd2603978" }, { "name": "Size", "value": "0x0000009e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00E\\x00v\\x00e\\x00n\\x00t\\x00L\\x00o\\x00g\\x00" } ], "repeated": 0, "id": 15817 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15818 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1172" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15819 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 15820 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15821 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\xe8\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15822 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 15823 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15824 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1224" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15825 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15826 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1224" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15827 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15828 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "624" }, { "name": "y", "value": "395" } ], "repeated": 0, "id": 15829 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1224" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15830 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 15831 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15832 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15833 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15834 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15835 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "607" }, { "name": "y", "value": "384" } ], "repeated": 0, "id": 15836 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15837 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15838 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15839 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254982000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15840 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15841 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15842 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925498e000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15843 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15844 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15845 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15846 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292549a8000" }, { "name": "RegionSize", "value": "0x00023000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15847 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15848 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15849 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15850 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15851 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15852 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15853 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15854 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1224" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15855 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x3dfaa3b000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\x00\\xee\\xa0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\xed\\xa0\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdf\\xed\\xa0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xefa\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xefa\\xf4}\\x00\\x00\\x00\\x00\\x03d\\xf5}\\x00\\x00(\\x02\\x04d\\xf5}\\x00\\x00P\\x06\\x05d\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00@\\xee\\xa0\\x01\\x00\\x00" } ], "repeated": 0, "id": 15856 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1a0ee0032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "v\\x07\\x00\\x00v\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xe0>\\x00\\xee\\xa0\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\x00\\xee\\xa0\\x01\\x00\\x00\\xa8\\x00\\xaa\\x00\\x00\\x00\\x00\\x00x9\\x00\\xee\\xa0\\x01\\x00\\x00\\xf0'\\x00\\xee\\xa0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\":\\x00\\xee\\xa0\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00b:\\x00\\xee\\xa0\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00d:\\x00\\xee\\xa0\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15857 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1a0ee003978" }, { "name": "Size", "value": "0x000000a8" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00T\\x00i\\x00m\\x00e\\x00B\\x00r\\x00o\\x00k\\x00e\\x00r\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 15858 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15859 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1224" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15860 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15861 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15862 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\xef\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15863 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15864 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15865 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1316" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15866 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15867 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1316" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15868 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15869 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1316" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15870 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15871 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15872 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15873 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15874 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15875 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15876 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15877 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15878 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15879 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15880 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15881 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15882 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15883 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15884 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15885 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15886 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15887 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15888 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15889 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1316" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15890 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x8c374d6000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xe0\\x01\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x01\\x08\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbb\\x01\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x1f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x13\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07c\\x13\\xf4}\\x00\\x00\\x00\\x00w\\x15\\xf5}\\x00\\x00(\\x02x\\x15\\xf5}\\x00\\x00P\\x06y\\x15\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00 \\x02\\x08\\x02\\x00\\x00" } ], "repeated": 0, "id": 15891 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x20801e032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "b\\x07\\x00\\x00b\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xd0>\\xe0\\x01\\x08\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xe0\\x01\\x08\\x02\\x00\\x00\\x94\\x00\\x96\\x00\\x00\\x00\\x00\\x00x9\\xe0\\x01\\x08\\x02\\x00\\x00\\xf0'\\xe0\\x01\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x0e:\\xe0\\x01\\x08\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00N:\\xe0\\x01\\x08\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00P:\\xe0\\x01\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15892 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x20801e03978" }, { "name": "Size", "value": "0x00000094" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00D\\x00i\\x00s\\x00p\\x00B\\x00r\\x00o\\x00k\\x00e\\x00r\\x00D\\x00e\\x00s\\x00k\\x00t\\x00o\\x00p\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 15893 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15894 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1316" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15895 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15896 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15897 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x002\\xfc\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15898 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15899 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15900 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1468" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15901 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15902 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1468" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15903 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15904 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1468" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15905 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15906 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15907 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15908 }, { "timestamp": "2026-05-28 22:01:58,693", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15909 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15910 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15911 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15912 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15913 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15914 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15915 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15916 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15917 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15918 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15919 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15920 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15921 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15922 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15923 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15924 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1468" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15925 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xe719385000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xa0\\x13\\xcd\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\x13\\xcd\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x94\\x13\\xcd\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\xe7\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07E\\xe7\\xf4}\\x00\\x00\\x00\\x00Y\\xe9\\xf5}\\x00\\x00(\\x02Z\\xe9\\xf5}\\x00\\x00P\\x06[\\xe9\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xed\\x13\\xcd\\x02\\x00\\x00" } ], "repeated": 0, "id": 15926 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2cd13a032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "@\\x07\\x00\\x00@\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0>\\xa0\\x13\\xcd\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xa0\\x13\\xcd\\x02\\x00\\x00r\\x00t\\x00\\x00\\x00\\x00\\x00x9\\xa0\\x13\\xcd\\x02\\x00\\x00\\xf0'\\xa0\\x13\\xcd\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xec9\\xa0\\x13\\xcd\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00,:\\xa0\\x13\\xcd\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00.:\\xa0\\x13\\xcd\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15927 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2cd13a03978" }, { "name": "Size", "value": "0x00000072" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00n\\x00s\\x00i\\x00" } ], "repeated": 0, "id": 15928 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15929 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1468" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15930 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15931 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15932 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcc\\x06\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15933 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15934 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15935 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1604" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15936 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15937 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1604" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15938 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15939 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1604" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15940 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15941 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15942 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15943 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15944 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15945 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15946 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15947 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15948 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15949 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15950 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15951 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15952 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15953 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15954 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15955 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15956 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15957 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15958 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15959 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1604" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15960 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x563d25000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xc0\"\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\"\\xf9\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\"\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x1f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbd\\xc9\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xbd\\xc9\\xf4}\\x00\\x00\\x00\\x00\\xd1\\xcb\\xf5}\\x00\\x00(\\x02\\xd2\\xcb\\xf5}\\x00\\x00P\\x06\\xd3\\xcb\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x02#\\xf9\\x01\\x00\\x00" } ], "repeated": 0, "id": 15961 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1f922c032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "J\\x07\\x00\\x00J\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xb0>\\xc0\"\\xf9\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xc0\"\\xf9\\x01\\x00\\x00|\\x00~\\x00\\x00\\x00\\x00\\x00x9\\xc0\"\\xf9\\x01\\x00\\x00\\xf0'\\xc0\"\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf69\\xc0\"\\xf9\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x006:\\xc0\"\\xf9\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x008:\\xc0\"\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15962 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1f922c03978" }, { "name": "Size", "value": "0x0000007c" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00N\\x00l\\x00a\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 15963 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15964 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1604" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15965 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15966 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 15967 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85\\x15\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15968 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15969 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15970 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1688" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15971 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15972 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1688" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15973 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15974 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1688" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15975 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15976 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15977 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15978 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15979 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15980 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15981 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15982 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15983 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15984 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15985 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 15986 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 15987 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15988 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 15989 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 15990 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 15991 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 15992 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15993 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 15994 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1688" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 15995 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x15fb04d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\x00\\x80\\x07\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x7f\\x07\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdb\\x7f\\x07\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00_\\xec\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07_\\xec\\xf4}\\x00\\x00\\x00\\x00s\\xee\\xf5}\\x00\\x00(\\x02t\\xee\\xf5}\\x00\\x00P\\x06u\\xee\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00@\\x80\\x07\\x02\\x00\\x00" } ], "repeated": 0, "id": 15996 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x20780003270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "h\\x07\\x00\\x00h\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00P>\\x00\\x80\\x07\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\x00\\x80\\x07\\x02\\x00\\x00\\x9a\\x00\\x9c\\x00\\x00\\x00\\x00\\x00\\xf88\\x00\\x80\\x07\\x02\\x00\\x00\\xf0'\\x00\\x80\\x07\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x949\\x00\\x80\\x07\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd49\\x00\\x80\\x07\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd69\\x00\\x80\\x07\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 15997 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x207800038f8" }, { "name": "Size", "value": "0x0000009a" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00s\\x00 \\x00W\\x00P\\x00D\\x00B\\x00u\\x00s\\x00E\\x00n\\x00u\\x00m\\x00" } ], "repeated": 0, "id": 15998 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 15999 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1688" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16000 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16001 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16002 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\x1c\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16003 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16004 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16005 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1732" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16006 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16007 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1732" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16008 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16009 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1732" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16010 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16011 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16012 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16013 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16014 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16015 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16016 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16017 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16018 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16019 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16020 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16021 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16022 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16023 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16024 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16025 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16026 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16027 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16028 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16029 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1732" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16030 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x8fc66e5000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xe0%\\x12\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8%\\x12\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd3%\\x12\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\xd3\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07.\\xd3\\xf4}\\x00\\x00\\x00\\x00B\\xd5\\xf5}\\x00\\x00(\\x02C\\xd5\\xf5}\\x00\\x00P\\x06D\\xd5\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00-&\\x12\\x02\\x00\\x00" } ], "repeated": 0, "id": 16031 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x21225e03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "h\\x07\\x00\\x00h\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00P>\\xe0%\\x12\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xe0%\\x12\\x02\\x00\\x00\\x9a\\x00\\x9c\\x00\\x00\\x00\\x00\\x00\\xf88\\xe0%\\x12\\x02\\x00\\x00\\xf0'\\xe0%\\x12\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x949\\xe0%\\x12\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd49\\xe0%\\x12\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd69\\xe0%\\x12\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16032 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x21225e038f8" }, { "name": "Size", "value": "0x0000009a" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00S\\x00y\\x00s\\x00M\\x00a\\x00i\\x00n\\x00" } ], "repeated": 0, "id": 16033 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16034 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1732" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16035 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16036 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16037 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb9 \\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16038 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16039 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16040 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1852" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16041 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16042 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1852" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16043 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16044 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1852" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16045 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16046 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16047 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16048 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16049 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16050 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16051 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16052 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16053 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16054 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16055 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16056 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16057 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16058 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16059 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16060 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16061 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16062 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16063 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16064 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1852" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16065 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x7427613000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2`o\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Go\\xdd\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Bo\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00?\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x92\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xf8\\x92\\xf4}\\x00\\x00\\x00\\x00\\x0c\\x95\\xf5}\\x00\\x00(\\x02\r\\x95\\xf5}\\x00\\x00P\\x06\\x0e\\x95\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xa0o\\xdd\\x01\\x00\\x00" } ], "repeated": 0, "id": 16066 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1dd6f603270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "8\\x07\\x00\\x008\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >`o\\xdd\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88`o\\xdd\\x01\\x00\\x00j\\x00l\\x00\\x00\\x00\\x00\\x00\\xf88`o\\xdd\\x01\\x00\\x00\\xf0'`o\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00d9`o\\xdd\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa49`o\\xdd\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa69`o\\xdd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16067 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1dd6f6038f8" }, { "name": "Size", "value": "0x0000006a" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00S\\x00E\\x00N\\x00S\\x00" } ], "repeated": 0, "id": 16068 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16069 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1852" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16070 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16071 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16072 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12,\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16073 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16074 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16075 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16076 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16077 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16078 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16079 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16080 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16081 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16082 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16083 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16084 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16085 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16086 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16087 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16088 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16089 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16090 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16091 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16092 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16093 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16094 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16095 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16096 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16097 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16098 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16099 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16100 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xe7987df000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\x00B\\xef\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeaA\\xef\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe5A\\xef\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x7f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe5\\xf7\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xe5\\xf7\\xf4}\\x00\\x00\\x00\\x00\\xf9\\xf9\\xf5}\\x00\\x00(\\x02\\xfa\\xf9\\xf5}\\x00\\x00P\\x06\\xfb\\xf9\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00@B\\xef\\x01\\x00\\x00" } ], "repeated": 0, "id": 16101 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1ef42003270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x82\\x07\\x00\\x00\\x82\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00p>\\x00B\\xef\\x01\\x00\\x00L\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\x00B\\xef\\x01\\x00\\x00\\xb4\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\xf88\\x00B\\xef\\x01\\x00\\x00\\xf0'\\x00B\\xef\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xae9\\x00B\\xef\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xee9\\x00B\\xef\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xf09\\x00B\\xef\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16102 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1ef420038f8" }, { "name": "Size", "value": "0x000000b4" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00A\\x00u\\x00d\\x00i\\x00o\\x00E\\x00n\\x00d\\x00p\\x00o\\x00i\\x00n\\x00t\\x00B\\x00u\\x00i\\x00l\\x00d\\x00e\\x00r\\x00" } ], "repeated": 0, "id": 16103 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16104 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1900" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16105 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16106 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16107 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00-\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd90\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16108 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16109 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16110 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1396" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16111 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16112 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1396" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16113 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16114 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1396" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16115 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16116 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16117 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16118 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16119 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16120 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16121 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16122 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16123 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16124 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16125 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16126 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16127 }, { "timestamp": "2026-05-28 22:01:58,709", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16128 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16129 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16130 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16131 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16132 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16133 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16134 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1396" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16135 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x565870e000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02`\\h\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\h\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\h\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00?\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeez\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xeez\\xf4}\\x00\\x00\\x00\\x00\\x02}\\xf5}\\x00\\x00(\\x02\\x03}\\xf5}\\x00\\x00P\\x06\\x04}\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xa0\\h\\x01\\x00\\x00" } ], "repeated": 0, "id": 16136 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1685c6032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "N\\x07\\x00\\x00N\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xb0>`\\h\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089`\\h\\x01\\x00\\x00\\x80\\x00\\x82\\x00\\x00\\x00\\x00\\x00x9`\\h\\x01\\x00\\x00\\xf0'`\\h\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xfa9`\\h\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00::`\\h\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00<:`\\h\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16137 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1685c603978" }, { "name": "Size", "value": "0x00000080" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00D\\x00n\\x00s\\x00c\\x00a\\x00c\\x00h\\x00e\\x00" } ], "repeated": 0, "id": 16138 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16139 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1396" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16140 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16141 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16142 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaeA\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16143 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16144 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16145 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16146 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16147 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16148 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16149 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16150 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16151 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16152 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16153 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16154 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16155 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16156 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16157 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16158 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16159 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16160 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16161 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16162 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16163 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16164 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16165 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16166 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16167 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16168 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16169 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16170 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x9c5b6f000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02 \\xad~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\xad~\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\xad~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x7f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\x9b\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xcf\\x9b\\xf4}\\x00\\x00\\x00\\x00\\xe3\\x9d\\xf5}\\x00\\x00(\\x02\\xe4\\x9d\\xf5}\\x00\\x00P\\x06\\xe5\\x9d\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00a\\xad~\\x01\\x00\\x00" } ], "repeated": 0, "id": 16171 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x17ead2032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "T\\x07\\x00\\x00T\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0> \\xad~\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089 \\xad~\\x01\\x00\\x00\\x86\\x00\\x88\\x00\\x00\\x00\\x00\\x00x9 \\xad~\\x01\\x00\\x00\\xf0' \\xad~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x00: \\xad~\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00@: \\xad~\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00B: \\xad~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16172 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x17ead203978" }, { "name": "Size", "value": "0x00000086" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 16173 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16174 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16175 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16176 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16177 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x002\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xabB\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16178 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16179 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16180 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2184" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16181 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16182 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2184" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16183 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16184 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2184" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16185 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16186 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16187 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16188 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16189 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16190 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16191 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16192 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16193 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16194 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16195 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16196 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16197 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16198 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16199 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16200 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16201 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16202 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16203 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16204 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2184" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16205 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x48567b1000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2 ?\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02?\\xe1\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfd>\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x1f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00&\\x85\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07&\\x85\\xf4}\\x00\\x00\\x00\\x00:\\x87\\xf5}\\x00\\x00(\\x02;\\x87\\xf5}\\x00\\x00P\\x06<\\x87\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00`?\\xe1\\x01\\x00\\x00" } ], "repeated": 0, "id": 16206 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1e13f203270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "P\\x07\\x00\\x00P\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000> ?\\xe1\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88 ?\\xe1\\x01\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\xf88 ?\\xe1\\x01\\x00\\x00\\xf0' ?\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00|9 ?\\xe1\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xbc9 ?\\xe1\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xbe9 ?\\xe1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16207 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1e13f2038f8" }, { "name": "Size", "value": "0x00000082" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00S\\x00h\\x00e\\x00l\\x00l\\x00H\\x00W\\x00D\\x00e\\x00t\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00" } ], "repeated": 0, "id": 16208 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16209 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2184" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16210 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16211 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16212 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x004\\x00\\x00\\x00\\x00\\x00\\x00\\x00XU\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16213 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16214 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16215 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2308" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16216 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16217 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2308" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16218 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16219 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2308" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16220 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16221 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16222 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16223 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16224 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16225 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16226 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16227 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16228 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16229 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16230 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16231 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16232 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16233 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16234 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16235 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16236 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16237 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16238 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16239 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2308" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16240 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xc3c5338000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\x80\\xad\\xd6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\xad\\xd6\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\xad\\xd6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8d\\x17\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x8d\\x17\\xf4}\\x00\\x00\\x00\\x00\\xa1\\x19\\xf5}\\x00\\x00(\\x02\\xa2\\x19\\xf5}\\x00\\x00P\\x06\\xa3\\x19\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xc0\\xad\\xd6\\x01\\x00\\x00" } ], "repeated": 0, "id": 16241 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1d6ad8032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "T\\x07\\x00\\x00T\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>\\x80\\xad\\xd6\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\x80\\xad\\xd6\\x01\\x00\\x00\\x86\\x00\\x88\\x00\\x00\\x00\\x00\\x00x9\\x80\\xad\\xd6\\x01\\x00\\x00\\xf0'\\x80\\xad\\xd6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x00:\\x80\\xad\\xd6\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00@:\\x80\\xad\\xd6\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00B:\\x80\\xad\\xd6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16242 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1d6ad803978" }, { "name": "Size", "value": "0x00000086" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00o\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00F\\x00i\\x00r\\x00e\\x00w\\x00a\\x00l\\x00l\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 16243 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16244 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2308" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16245 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16246 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16247 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x006\\x00\\x00\\x00\\x00\\x00\\x00\\x003t\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16248 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16249 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16250 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2504" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16251 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16252 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2504" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16253 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16254 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2504" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16255 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16256 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16257 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16258 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16259 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16260 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16261 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16262 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16263 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16264 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16265 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16266 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16267 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16268 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16269 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16270 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16271 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16272 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16273 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16274 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2504" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16275 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xd563b6d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\x00,9\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4+9\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdf+9\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x90\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x1a\\x90\\xf4}\\x00\\x00\\x00\\x00.\\x92\\xf5}\\x00\\x00(\\x02/\\x92\\xf5}\\x00\\x00P\\x060\\x92\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00@,9\\x02\\x00\\x00" } ], "repeated": 0, "id": 16276 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2392c003270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "<\\x07\\x00\\x00<\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00 >\\x00,9\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\x00,9\\x02\\x00\\x00n\\x00p\\x00\\x00\\x00\\x00\\x00\\xf88\\x00,9\\x02\\x00\\x00\\xf0'\\x00,9\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00h9\\x00,9\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa89\\x00,9\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xaa9\\x00,9\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16277 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2392c0038f8" }, { "name": "Size", "value": "0x0000006e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00I\\x00K\\x00E\\x00E\\x00X\\x00T\\x00" } ], "repeated": 0, "id": 16278 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16279 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2504" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16280 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16281 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16282 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x009\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x91\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16283 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16284 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16285 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2628" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16286 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16287 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2628" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16288 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16289 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2628" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16290 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16291 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16292 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16293 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16294 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16295 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16296 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16297 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16298 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16299 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16300 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16301 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16302 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16303 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16304 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16305 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16306 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16307 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16308 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16309 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "606" }, { "name": "y", "value": "383" } ], "repeated": 0, "id": 16310 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 16311 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "593" }, { "name": "y", "value": "376" } ], "repeated": 0, "id": 16312 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2628" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16313 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x6afbcad000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xc0a~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9a~\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa4a~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4:\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xf4:\\xf4}\\x00\\x00\\x00\\x00\\x08=\\xf5}\\x00\\x00(\\x02\t=\\xf5}\\x00\\x00P\\x06\n=\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00b~\\x01\\x00\\x00" } ], "repeated": 0, "id": 16314 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x17e61c032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "N\\x07\\x00\\x00N\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xb0>\\xc0a~\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xc0a~\\x01\\x00\\x00\\x80\\x00\\x82\\x00\\x00\\x00\\x00\\x00x9\\xc0a~\\x01\\x00\\x00\\xf0'\\xc0a~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xfa9\\xc0a~\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00::\\xc0a~\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00<:\\xc0a~\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16315 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x17e61c03978" }, { "name": "Size", "value": "0x00000080" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00C\\x00r\\x00y\\x00p\\x00t\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 16316 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16317 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2628" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16318 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a44" } ], "repeated": 0, "id": 16319 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16320 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\xa3\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16321 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 16322 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16323 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "592" }, { "name": "y", "value": "376" } ], "repeated": 0, "id": 16324 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 16325 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16326 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16327 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16328 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16329 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16330 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16331 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16332 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16333 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16334 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16335 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a44" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16336 }, { "timestamp": "2026-05-28 22:01:58,725", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 16337 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16338 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16339 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16340 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16341 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16342 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16343 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16344 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16345 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16346 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16347 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16348 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16349 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16350 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x3643b14000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02@\\x90\\xa7\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x90\\xa7\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x90\\xa7\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00Q\\x11\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07Q\\x11\\xf4}\\x00\\x00\\x00\\x00e\\x13\\xf5}\\x00\\x00(\\x02f\\x13\\xf5}\\x00\\x00P\\x06g\\x13\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x80\\x90\\xa7\\x01\\x00\\x00" } ], "repeated": 0, "id": 16351 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1a7904032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "R\\x07\\x00\\x00R\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>@\\x90\\xa7\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089@\\x90\\xa7\\x01\\x00\\x00\\x84\\x00\\x86\\x00\\x00\\x00\\x00\\x00x9@\\x90\\xa7\\x01\\x00\\x00\\xf0'@\\x90\\xa7\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xfe9@\\x90\\xa7\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00>:@\\x90\\xa7\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00@:@\\x90\\xa7\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16352 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1a790403978" }, { "name": "Size", "value": "0x00000084" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00o\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00D\\x00P\\x00S\\x00" } ], "repeated": 0, "id": 16353 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16354 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2644" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16355 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16356 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16357 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00=\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xa3\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16358 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16359 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16360 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2800" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16361 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16362 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2800" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16363 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16364 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2800" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16365 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16366 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16367 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16368 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16369 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16370 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16371 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16372 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16373 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16374 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16375 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16376 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16377 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16378 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16379 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16380 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16381 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16382 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16383 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16384 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2800" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16385 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xac7f4ed000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xe0V\\x8e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdeV\\x8e\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9V\\x8e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8f]\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x8f]\\xf4}\\x00\\x00\\x00\\x00\\xa3_\\xf5}\\x00\\x00(\\x02\\xa4_\\xf5}\\x00\\x00P\\x06\\xa5_\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x000W\\x8e\\x02\\x00\\x00" } ], "repeated": 0, "id": 16386 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x28e56e03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "f\\x07\\x00\\x00f\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00P>\\xe0V\\x8e\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xe0V\\x8e\\x02\\x00\\x00\\x98\\x00\\x9a\\x00\\x00\\x00\\x00\\x00\\xf88\\xe0V\\x8e\\x02\\x00\\x00\\xf0'\\xe0V\\x8e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x929\\xe0V\\x8e\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd29\\xe0V\\x8e\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd49\\xe0V\\x8e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16387 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x28e56e038f8" }, { "name": "Size", "value": "0x00000098" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00T\\x00r\\x00k\\x00W\\x00k\\x00s\\x00" } ], "repeated": 0, "id": 16388 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16389 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2800" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16390 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16391 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16392 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xb1\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16393 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16394 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16395 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2932" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16396 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16397 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2932" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16398 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16399 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2932" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16400 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16401 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16402 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16403 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16404 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16405 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16406 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16407 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16408 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16409 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16410 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16411 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16412 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16413 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16414 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16415 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16416 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16417 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16418 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16419 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2932" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16420 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x4a92c57000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02`1\\xcc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00U1\\xcc\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P1\\xcc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\xef\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x14\\xef\\xf4}\\x00\\x00\\x00\\x00(\\xf1\\xf5}\\x00\\x00(\\x02)\\xf1\\xf5}\\x00\\x00P\\x06*\\xf1\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xad1\\xcc\\x01\\x00\\x00" } ], "repeated": 0, "id": 16421 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1cc316032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "V\\x07\\x00\\x00V\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>`1\\xcc\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089`1\\xcc\\x01\\x00\\x00\\x88\\x00\\x8a\\x00\\x00\\x00\\x00\\x00x9`1\\xcc\\x01\\x00\\x00\\xf0'`1\\xcc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x02:`1\\xcc\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00B:`1\\xcc\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00D:`1\\xcc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16422 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1cc31603978" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00W\\x00d\\x00i\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00H\\x00o\\x00s\\x00t\\x00" } ], "repeated": 0, "id": 16423 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16424 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2932" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16425 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16426 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16427 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00A\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcb\\xbf\\x01\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16428 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16429 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16430 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16431 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16432 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16433 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16434 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16435 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16436 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16437 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16438 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16439 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16440 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16441 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16442 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16443 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16444 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16445 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16446 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16447 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16448 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16449 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16450 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16451 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16452 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16453 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16454 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16455 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xc6ce323000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02`\\xb3\\x8c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\xb3\\x8c\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\xb3\\x8c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x1f\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x0e\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x1f\\x0e\\xf4}\\x00\\x00\\x00\\x003\\x10\\xf5}\\x00\\x00(\\x024\\x10\\xf5}\\x00\\x00P\\x065\\x10\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xad\\xb3\\x8c\\x02\\x00\\x00" } ], "repeated": 0, "id": 16456 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x28cb36032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "`\\x07\\x00\\x00`\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>`\\xb3\\x8c\\x02\\x00\\x00L\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089`\\xb3\\x8c\\x02\\x00\\x00\\x92\\x00\\x94\\x00\\x00\\x00\\x00\\x00x9`\\xb3\\x8c\\x02\\x00\\x00\\xf0'`\\xb3\\x8c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x0c:`\\xb3\\x8c\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00L:`\\xb3\\x8c\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00N:`\\xb3\\x8c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16457 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x28cb3603978" }, { "name": "Size", "value": "0x00000092" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00s\\x00 \\x00R\\x00m\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 16458 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16459 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16460 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16461 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16462 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00K\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4L\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16463 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16464 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16465 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "736" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16466 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16467 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "736" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16468 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16469 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "736" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16470 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16471 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16472 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16473 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16474 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16475 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16476 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16477 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16478 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16479 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16480 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16481 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16482 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16483 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16484 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16485 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16486 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16487 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16488 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16489 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "736" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16490 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xc53c612000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xc0\\x0f\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x0f\\x82\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\x0f\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeak\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xeak\\xf4}\\x00\\x00\\x00\\x00\\xfem\\xf5}\\x00\\x00(\\x02\\xffm\\xf5}\\x00\\x00P\\x06\\x00n\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x02\\x10\\x82\\x02\\x00\\x00" } ], "repeated": 0, "id": 16491 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2820fc032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "V\\x07\\x00\\x00V\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0>\\xc0\\x0f\\x82\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xc0\\x0f\\x82\\x02\\x00\\x00\\x88\\x00\\x8a\\x00\\x00\\x00\\x00\\x00x9\\xc0\\x0f\\x82\\x02\\x00\\x00\\xf0'\\xc0\\x0f\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x02:\\xc0\\x0f\\x82\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00B:\\xc0\\x0f\\x82\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00D:\\xc0\\x0f\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16492 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2820fc03978" }, { "name": "Size", "value": "0x00000088" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00L\\x00i\\x00c\\x00e\\x00n\\x00s\\x00e\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00" } ], "repeated": 0, "id": 16493 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16494 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "736" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16495 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16496 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16497 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00R\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xcc\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16498 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16499 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16500 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3068" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16501 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16502 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3068" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16503 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16504 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3068" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16505 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16506 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16507 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16508 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16509 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16510 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16511 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16512 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16513 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16514 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16515 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16516 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16517 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16518 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16519 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16520 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16521 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16522 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16523 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16524 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3068" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16525 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2b79e9d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xd02\\x00Nz\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xecMz\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe7Mz\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb3\\x7f\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xb3\\x7f\\xf4}\\x00\\x00\\x00\\x00\\xc7\\x81\\xf5}\\x00\\x00(\\x02\\xc8\\x81\\xf5}\\x00\\x00P\\x06\\xc9\\x81\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00@Nz\\x01\\x00\\x00" } ], "repeated": 0, "id": 16526 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x17a4e0032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "P\\x07\\x00\\x00P\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90>\\x00Nz\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x189\\x00Nz\\x01\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00X9\\x00Nz\\x01\\x00\\x00\\xf0'\\x00Nz\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xdc9\\x00Nz\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1c:\\x00Nz\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1e:\\x00Nz\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16527 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x17a4e003958" }, { "name": "Size", "value": "0x00000082" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00U\\x00n\\x00i\\x00s\\x00t\\x00a\\x00c\\x00k\\x00S\\x00v\\x00c\\x00G\\x00r\\x00o\\x00u\\x00p\\x00 \\x00-\\x00s\\x00 \\x00C\\x00D\\x00P\\x00U\\x00s\\x00e\\x00r\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 16528 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16529 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3068" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16530 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16531 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16532 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x000\\xdd$T\\x92\\x02\\x00\\x00(\\x00(\\x00\\x00\\x00\\x00\\x00\\x80\\xdd$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00@\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xdd$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb0\\xdd$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xdd$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00C\\x00M\\x00U\\x00s\\x00e\\x00r\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\xd0\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16533 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16534 }, { "timestamp": "2026-05-28 22:01:58,740", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16535 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 16536 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16537 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 16538 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16539 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 16540 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16541 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\taskhostw.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16542 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16543 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16544 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" } ], "repeated": 0, "id": 16545 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16546 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16547 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16548 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16549 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 16550 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\taskhostw.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16551 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16552 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16553 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui" } ], "repeated": 0, "id": 16554 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16555 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16556 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255740000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16557 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16558 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 16559 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 16560 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16561 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 16562 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x93bef2b000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00M{\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1a*7B\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*7B\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 7B\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00FJ\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07FJ\\xf4}\\x00\\x00\\x00\\x00ZL\\xf5}\\x00\\x00(\\x02[L\\xf5}\\x00\\x00P\\x06\\L\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00h7B\\x02\\x00\\x00" } ], "repeated": 0, "id": 16563 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x242372a1ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x18\\x07\\x00\\x00\\x18\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000&*7B\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00\\x08!*7B\\x02\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x00L!*7B\\x02\\x00\\x00\\xe0\\x0f*7B\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\x00D\\x00\\x00\\x00\\x00\\x00r!*7B\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xb6!*7B\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd6!*7B\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16564 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x242372a214c" }, { "name": "Size", "value": "0x00000024" }, { "name": "Buffer", "value": "t\\x00a\\x00s\\x00k\\x00h\\x00o\\x00s\\x00t\\x00w\\x00.\\x00e\\x00x\\x00e\\x00 \\x00U\\x00S\\x00E\\x00R\\x00" } ], "repeated": 0, "id": 16565 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16566 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2672" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\taskhostw.exe" } ], "repeated": 0, "id": 16567 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16568 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16569 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00W\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\xd9\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16570 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16571 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16572 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3456" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16573 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16574 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3456" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16575 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16576 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3456" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16577 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16578 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16579 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16580 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16581 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16582 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16583 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16584 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16585 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16586 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16587 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16588 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16589 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16590 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16591 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16592 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16593 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16594 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16595 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16596 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3456" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16597 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x3f853c1000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xa0#$\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99#$\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x94#$\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\xd5\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x073\\xd5\\xf4}\\x00\\x00\\x00\\x00G\\xd7\\xf5}\\x00\\x00(\\x02H\\xd7\\xf5}\\x00\\x00P\\x06I\\xd7\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xed#$\\x02\\x00\\x00" } ], "repeated": 0, "id": 16598 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x22423a03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\\x07\\x00\\x00F\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000>\\xa0#$\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xa0#$\\x02\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xf88\\xa0#$\\x02\\x00\\x00\\xf0'\\xa0#$\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00r9\\xa0#$\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb29\\xa0#$\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb49\\xa0#$\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16599 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x22423a038f8" }, { "name": "Size", "value": "0x00000078" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00T\\x00o\\x00k\\x00e\\x00n\\x00B\\x00r\\x00o\\x00k\\x00e\\x00r\\x00" } ], "repeated": 0, "id": 16600 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16601 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3456" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16602 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16603 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16604 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00[\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\xeb\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16605 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16606 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16607 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4148" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16608 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16609 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4148" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16610 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16611 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4148" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16612 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16613 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16614 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16615 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16616 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16617 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16618 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16619 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16620 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16621 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16622 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255720002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16623 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16624 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16625 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16626 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16627 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16628 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255730000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16629 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16630 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16631 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4148" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16632 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0xf4409b7000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xc0\\xfd\\xb6\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\xfd\\xb6\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaf\\xfd\\xb6\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00?\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5\\xb0\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xc5\\xb0\\xf4}\\x00\\x00\\x00\\x00\\xd9\\xb2\\xf5}\\x00\\x00(\\x02\\xda\\xb2\\xf5}\\x00\\x00P\\x06\\xdb\\xb2\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\r\\xfe\\xb6\\x02\\x00\\x00" } ], "repeated": 0, "id": 16633 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2b6fdc03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "~\\x07\\x00\\x00~\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00`>\\xc0\\xfd\\xb6\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xc0\\xfd\\xb6\\x02\\x00\\x00\\xb0\\x00\\xb2\\x00\\x00\\x00\\x00\\x00\\xf88\\xc0\\xfd\\xb6\\x02\\x00\\x00\\xf0'\\xc0\\xfd\\xb6\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xaa9\\xc0\\xfd\\xb6\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xea9\\xc0\\xfd\\xb6\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xec9\\xc0\\xfd\\xb6\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16634 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2b6fdc038f8" }, { "name": "Size", "value": "0x000000b0" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00T\\x00a\\x00b\\x00l\\x00e\\x00t\\x00I\\x00n\\x00p\\x00u\\x00t\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00" } ], "repeated": 0, "id": 16635 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16636 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4148" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16637 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16638 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16639 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00]\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xfc\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16640 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16641 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16642 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ctfmon.exe" } ], "repeated": 0, "id": 16643 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16644 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ctfmon.exe" } ], "repeated": 0, "id": 16645 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16646 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ctfmon.exe" } ], "repeated": 0, "id": 16647 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16648 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16649 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16650 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x93\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16651 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16652 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16653 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16654 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16655 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16656 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16657 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x006\\x00f\\x00b\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 16658 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!046fb8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16659 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16660 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16661 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16662 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 16663 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16664 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 16665 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xb8o\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16666 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16667 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16668 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 16669 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16670 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16671 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\ctfmon.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16672 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16673 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\ctfmon.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16674 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\ctfmon.exe.mui" } ], "repeated": 0, "id": 16675 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16676 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16677 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16678 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16679 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 16680 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\ctfmon.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16681 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16682 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\ctfmon.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16683 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a3c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\ctfmon.exe.mui" } ], "repeated": 0, "id": 16684 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16685 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16686 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16687 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16688 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00007000" } ], "repeated": 0, "id": 16689 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ctfmon.exe" } ], "repeated": 0, "id": 16690 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16691 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ctfmon.exe" } ], "repeated": 0, "id": 16692 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x879a573000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00I\\xdc\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1a\\x1d\\xb6=\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\xb6=\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\xb6=\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff?\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0br\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x0br\\xf4}\\x00\\x00\\x00\\x00\\x1ft\\xf5}\\x00\\x00(\\x02 t\\xf5}\\x00\\x00P\\x06!t\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00q\\xb6=\\x02\\x00\\x00" } ], "repeated": 0, "id": 16693 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x23db61d1ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xd8\\x06\\x00\\x00\\xd8\\x06\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0%\\x1d\\xb6=\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00<\\x00>\\x00\\x00\\x00\\x00\\x00\\x08!\\x1d\\xb6=\\x02\\x00\\x00\\x18\\x00\\x1a\\x00\\x00\\x00\\x00\\x00F!\\x1d\\xb6=\\x02\\x00\\x00\\xe0\\x0f\\x1d\\xb6=\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x16\\x00\\x00\\x00\\x00\\x00`!\\x1d\\xb6=\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00v!\\x1d\\xb6=\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x96!\\x1d\\xb6=\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16694 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "BaseAddress", "value": "0x23db61d2146" }, { "name": "Size", "value": "0x00000018" }, { "name": "Buffer", "value": "\"\\x00c\\x00t\\x00f\\x00m\\x00o\\x00n\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00" } ], "repeated": 0, "id": 16695 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16696 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4344" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\ctfmon.exe" } ], "repeated": 0, "id": 16697 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16698 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16699 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00_\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x17\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16700 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16701 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16702 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4584" }, { "name": "ProcessName", "value": "C:\\Windows\\explorer.exe" } ], "repeated": 0, "id": 16703 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16704 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4584" }, { "name": "ProcessName", "value": "C:\\Windows\\explorer.exe" } ], "repeated": 0, "id": 16705 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16706 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16707 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8aM\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16708 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16709 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16710 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4584" }, { "name": "ProcessName", "value": "C:\\Windows\\explorer.exe" } ], "repeated": 0, "id": 16711 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16712 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4584" }, { "name": "ProcessName", "value": "C:\\Windows\\explorer.exe" } ], "repeated": 0, "id": 16713 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16714 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16715 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16716 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00<\n\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xff\\xdf\\x9d\\xf0\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16717 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16718 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16719 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16720 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16721 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a3c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16722 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16723 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x007\\x004\\x00a\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 16724 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0474a8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16725 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16726 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16727 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16728 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 16729 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16730 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16731 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xa8t\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16732 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16733 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 16734 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 16735 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16736 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16737 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\explorer.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16738 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16739 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\en-US\\explorer.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16740 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\en-US\\explorer.exe.mui" } ], "repeated": 0, "id": 16741 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16742 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16743 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 16744 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16745 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00546000" } ], "repeated": 0, "id": 16746 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\explorer.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16747 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16748 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\en-US\\explorer.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16749 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\en-US\\explorer.exe.mui" } ], "repeated": 0, "id": 16750 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16751 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16752 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 16753 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16754 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00546000" } ], "repeated": 0, "id": 16755 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4584" }, { "name": "ProcessName", "value": "C:\\Windows\\explorer.exe" } ], "repeated": 0, "id": 16756 }, { "timestamp": "2026-05-28 22:01:58,756", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16757 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4584" }, { "name": "ProcessName", "value": "C:\\Windows\\explorer.exe" } ], "repeated": 0, "id": 16758 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x0059c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x01^\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf0\\x1ag\\x00\\x00\\x00\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00g\\x00\\x00\\x00\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xdcz\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xdcz\\xf4}\\x00\\x00\\x00\\x00\\xf0|\\xf5}\\x00\\x00(\\x02\\xf1|\\xf5}\\x00\\x00P\\x06\\xf2|\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xb7\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16759 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x00671af0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "(\\x07\\x00\\x00(\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00p&g\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\x000\\x00\\x00\\x00\\x00\\x008!g\\x00\\x00\\x00\\x00\\x00.\\x000\\x00\\x00\\x00\\x00\\x00h!g\\x00\\x00\\x00\\x00\\x00 \\x86\\xf0\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\x81\\xf4\\x01\\x00\\x00\\x08\n\\xc7\\x81\\x01P\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x006\\x00\\x00\\x00\\x00\\x00\\x90\\xcai\\x00\\x00\\x00\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xc8!g\\x00\\x00\\x00\\x00\\x00.\\x000\\x00\\x00\\x00\\x00\\x00\\xe8!g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16760 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x00672168" }, { "name": "Size", "value": "0x0000002e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00E\\x00x\\x00p\\x00l\\x00o\\x00r\\x00e\\x00r\\x00.\\x00E\\x00X\\x00E\\x00" } ], "repeated": 0, "id": 16761 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16762 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4584" }, { "name": "ProcessName", "value": "C:\\Windows\\explorer.exe" } ], "repeated": 0, "id": 16763 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16764 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16765 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8aM\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16766 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16767 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16768 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4836" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16769 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16770 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4836" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16771 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16772 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4836" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16773 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16774 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16775 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16776 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16777 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16778 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16779 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16780 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16781 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16782 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16783 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16784 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16785 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16786 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "591" }, { "name": "y", "value": "376" } ], "repeated": 0, "id": 16787 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 16788 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a38" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16789 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 16790 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16791 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16792 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 16793 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "585" }, { "name": "y", "value": "374" } ], "repeated": 0, "id": 16794 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4836" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16795 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0xdb71f1a000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xd02 o\\xa5\\x02\\x00\\x00\\xd0\\xb1\\x0fp\\xfc\\x7f\\x00\\x00\\x00\\x00\\x0fo\\xa5\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\no\\xa5\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xfa@\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xfa@\\xf4}\\x00\\x00\\x00\\x00\\x0eC\\xf5}\\x00\\x00(\\x02\\x0fC\\xf5}\\x00\\x00P\\x06\\x10C\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00ao\\xa5\\x02\\x00\\x00" } ], "repeated": 0, "id": 16796 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0x2a56f2032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "R\\x07\\x00\\x00R\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0> o\\xa5\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x189 o\\xa5\\x02\\x00\\x00\\x84\\x00\\x86\\x00\\x00\\x00\\x00\\x00X9 o\\xa5\\x02\\x00\\x00\\xf0' o\\xa5\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xde9 o\\xa5\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1e: o\\xa5\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00 : o\\xa5\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16797 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0x2a56f203958" }, { "name": "Size", "value": "0x00000084" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00C\\x00l\\x00i\\x00p\\x00b\\x00o\\x00a\\x00r\\x00d\\x00S\\x00v\\x00c\\x00G\\x00r\\x00o\\x00u\\x00p\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00c\\x00b\\x00d\\x00h\\x00s\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 16798 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16799 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4836" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 16800 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 16801 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16802 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00P\\xf5$T\\x92\\x02\\x00\\x00(\\x00(\\x00\\x00\\x00\\x00\\x00\\xa0\\xf5$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00@\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xf5$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd0\\xf5$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xf5$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00C\\x00M\\x00U\\x00s\\x00e\\x00r\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc9\\x92\\x03\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16803 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16804 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16805 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4128" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 16806 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16807 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4128" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 16808 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16809 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4128" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 16810 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16811 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16812 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 16813 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x94\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16814 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16815 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16816 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16817 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16818 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16819 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16820 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 16821 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 16822 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16823 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16824 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16825 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16826 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 1, "id": 16827 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\dllhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16828 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\dllhost.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16829 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 16830 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 16831 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16832 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16833 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16834 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 16835 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16836 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16837 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SystemResources\\imageres.dll.mui.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16838 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16839 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 16840 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16841 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16842 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 16843 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 16844 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 16845 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 16846 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 16847 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 16848 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16849 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16850 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16851 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 16852 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\dllhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16853 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 16854 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\dllhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16855 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 16856 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4128" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 16857 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16858 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4128" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 16859 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x92fb68c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xdf\\x99\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x1b\\xa8=x\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8=x\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8d=x\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff?\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e]\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x0e]\\xf4}\\x00\\x00\\x00\\x00\"_\\xf5}\\x00\\x00(\\x02#_\\xf5}\\x00\\x00P\\x06$_\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xf1=x\\x02\\x00\\x00" } ], "repeated": 0, "id": 16860 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2783da81b00" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x8e\\x07\\x00\\x00\\x8e\\x07\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0&\\xa8=x\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00H!\\xa8=x\\x02\\x00\\x00\\xa2\\x00\\xa4\\x00\\x00\\x00\\x00\\x00\\x88!\\xa8=x\\x02\\x00\\x00\\xd0t\\xac=x\\x02\\x00\\x00(\\x00\\x00\\x00(\\x00\\x00\\x00P\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00,\"\\xa8=x\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00l\"\\xa8=x\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x8c\"\\xa8=x\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16861 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x2783da82188" }, { "name": "Size", "value": "0x000000a2" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00D\\x00l\\x00l\\x00H\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00i\\x00d\\x00:\\x00{\\x003\\x00E\\x00B\\x003\\x00C\\x008\\x007\\x007\\x00-\\x001\\x00F\\x001\\x006\\x00-\\x004\\x008\\x007\\x00C\\x00-\\x009\\x000\\x005\\x000\\x00-\\x001\\x000\\x004\\x00D\\x00B\\x00C\\x00D\\x006\\x006\\x006\\x008\\x003\\x00}\\x00" } ], "repeated": 0, "id": 16862 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16863 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4128" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 16864 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16865 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16866 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf\\x13\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16867 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16868 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16869 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5176" }, { "name": "ProcessName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" } ], "repeated": 0, "id": 16870 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16871 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5176" }, { "name": "ProcessName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" } ], "repeated": 0, "id": 16872 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16873 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5176" }, { "name": "ProcessName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" } ], "repeated": 0, "id": 16874 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16875 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16876 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 16877 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x95\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16878 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16879 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16880 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16881 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16882 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16883 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16884 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 16885 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 16886 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16887 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16888 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16889 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16890 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\servicing\\trustedinstaller.exe" } ], "repeated": 1, "id": 16891 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\servicing\\trustedinstaller.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16892 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\trustedinstaller.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16893 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00031000" } ], "repeated": 0, "id": 16894 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 16895 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16896 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16897 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16898 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 16899 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16900 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16901 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16902 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 16903 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16904 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 16905 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 16906 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 16907 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 16908 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 16909 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 16910 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 16911 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16912 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16913 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16914 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 16915 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16916 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16917 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\servicing\\en-US\\TrustedInstaller.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16918 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\servicing\\en-US\\TrustedInstaller.exe.mui" } ], "repeated": 0, "id": 16919 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16920 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16921 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16922 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16923 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00031000" } ], "repeated": 0, "id": 16924 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16925 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 16926 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\servicing\\en-US\\TrustedInstaller.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 16927 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\servicing\\en-US\\TrustedInstaller.exe.mui" } ], "repeated": 0, "id": 16928 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16929 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16930 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 16931 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16932 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00031000" } ], "repeated": 0, "id": 16933 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5176" }, { "name": "ProcessName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" } ], "repeated": 0, "id": 16934 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16935 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5176" }, { "name": "ProcessName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" } ], "repeated": 0, "id": 16936 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "BaseAddress", "value": "0x2edbe47000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x19b\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00P\\x1a;\\xef\\xe6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00;\\xef\\xe6\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\xef\\xe6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\xf3\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x14\\xf3\\xf4}\\x00\\x00\\x00\\x00(\\xf5\\xf5}\\x00\\x00(\\x02)\\xf5\\xf5}\\x00\\x00P\\x06*\\xf5\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00K\\xef\\xe6\\x01\\x00\\x00" } ], "repeated": 0, "id": 16937 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "BaseAddress", "value": "0x1e6ef3b1a50" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "H\\x07\\x00\\x00H\\x07\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0%;\\xef\\xe6\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\x00T\\x00\\x00\\x00\\x00\\x00\\x98 ;\\xef\\xe6\\x01\\x00\\x00R\\x00T\\x00\\x00\\x00\\x00\\x00\\xec ;\\xef\\xe6\\x01\\x00\\x00\\xe0\\x0f;\\xef\\xe6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\x00T\\x00\\x00\\x00\\x00\\x00@!;\\xef\\xe6\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x94!;\\xef\\xe6\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x96!;\\xef\\xe6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16938 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "BaseAddress", "value": "0x1e6ef3b20ec" }, { "name": "Size", "value": "0x00000052" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00e\\x00r\\x00v\\x00i\\x00c\\x00i\\x00n\\x00g\\x00\\\\x00T\\x00r\\x00u\\x00s\\x00t\\x00e\\x00d\\x00I\\x00n\\x00s\\x00t\\x00a\\x00l\\x00l\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00" } ], "repeated": 0, "id": 16939 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16940 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5176" }, { "name": "ProcessName", "value": "C:\\Windows\\servicing\\TrustedInstaller.exe" } ], "repeated": 0, "id": 16941 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 16942 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16943 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff-\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16944 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 16945 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16946 }, { "timestamp": "2026-05-28 22:01:58,771", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 16947 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16948 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 16949 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a38" } ], "repeated": 0, "id": 16950 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16951 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c47a3", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a05000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16952 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xd0E\\xa0T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00HF\\xa0T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00hF\\xa0T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xfcG\\xa0T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10H\\xa0T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x18H\\xa0T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x008H\\xa0T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\xae\\x00\\xae\\x00\\x00\\x00\\x00\\x00\\x98F\\xa0T\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00FG\\xa0T\\x92\\x02\\x00\\x00n\\x00n\\x00\\x00\\x00\\x00\\x00\\x8eG\\xa0T\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00" } ], "repeated": 0, "id": 16953 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 16954 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16955 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 16956 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 16957 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 16958 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 16959 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 16960 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16961 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\x98\\x8bT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00W\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 16962 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "584" }, { "name": "y", "value": "373" } ], "repeated": 0, "id": 16963 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 16964 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 16965 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 16966 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 16967 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16968 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 16969 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16970 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16971 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 16972 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 16973 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 16974 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 16975 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16976 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 16977 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "BaseAddress", "value": "0xd22e298000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00q{\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xd02\\xe0\\x8fg\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\x8fg\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\x8fg\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x07s\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x07s\\xf4}\\x00\\x00\\x00\\x00\\x1bu\\xf5}\\x00\\x00(\\x02\\x1cu\\xf5}\\x00\\x00P\\x06\\x1du\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00-\\x90g\\x02\\x00\\x00" } ], "repeated": 0, "id": 16978 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "BaseAddress", "value": "0x2678fe032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\\x07\\x00\\x00F\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90>\\xe0\\x8fg\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\x189\\xe0\\x8fg\\x02\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00d9\\xe0\\x8fg\\x02\\x00\\x00\\xf0'\\xe0\\x8fg\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\xc69\\xe0\\x8fg\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x12:\\xe0\\x8fg\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x14:\\xe0\\x8fg\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16979 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "BaseAddress", "value": "0x2678fe03964" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00R\\x00u\\x00n\\x00t\\x00i\\x00m\\x00e\\x00B\\x00r\\x00o\\x00k\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 16980 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16981 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 16982 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a38" } ], "repeated": 0, "id": 16983 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 16984 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00p\\xdb\\x98T\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xe8\\xdb\\x98T\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdc\\x98T\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x9c\\xdd\\x98T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xdd\\x98T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\xdd\\x98T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xdd\\x98T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\xae\\x00\\xae\\x00\\x00\\x00\\x00\\x008\\xdc\\x98T\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00\\xe6\\xdc\\x98T\\x92\\x02\\x00\\x00n\\x00n\\x00\\x00\\x00\\x00\\x00.\\xdd\\x98T\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00" } ], "repeated": 0, "id": 16985 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 16986 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16987 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5416" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 16988 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16989 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5416" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 16990 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16991 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5416" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 16992 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16993 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 16994 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a38" } ], "repeated": 0, "id": 16995 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x96\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 16996 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 16997 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 16998 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 16999 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17000 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17001 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17002 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 17003 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 17004 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17005 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17006 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17007 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17008 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\mousocoreworker.exe" } ], "repeated": 1, "id": 17009 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\mousocoreworker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17010 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\mousocoreworker.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17011 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x001ad000" } ], "repeated": 0, "id": 17012 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 17013 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17014 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17015 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17016 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a38" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 17017 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17018 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17019 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17020 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 17021 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17022 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17023 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 17024 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 17025 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 17026 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 17027 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 17028 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 17029 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17030 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17031 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17032 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 17033 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17034 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17035 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\MoUsoCoreWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17036 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 17037 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\MoUsoCoreWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17038 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 17039 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x001ad000" } ], "repeated": 0, "id": 17040 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17041 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17042 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\MoUsoCoreWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17043 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 17044 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\MoUsoCoreWorker.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17045 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 17046 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x001ad000" } ], "repeated": 0, "id": 17047 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5416" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 17048 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17049 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5416" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 17050 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "BaseAddress", "value": "0x6143e12000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x1d\\x8f\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00P\\x1a\\x9eC\\xaa\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9eC\\xaa\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00}C\\xaa\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x0f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0>\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xe0>\\xf4}\\x00\\x00\\x00\\x00\\xf4@\\xf5}\\x00\\x00(\\x02\\xf5@\\xf5}\\x00\\x00P\\x06\\xf6@\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xceC\\xaa\\x01\\x00\\x00" } ], "repeated": 0, "id": 17051 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "BaseAddress", "value": "0x1aa439e1a50" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x82\\x07\\x00\\x00\\x82\\x07\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x000&\\x9eC\\xaa\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00N\\x00P\\x00\\x00\\x00\\x00\\x00\\x98 \\x9eC\\xaa\\x01\\x00\\x00d\\x00f\\x00\\x00\\x00\\x00\\x00\\xe8 \\x9eC\\xaa\\x01\\x00\\x00\\xe0\\x0f\\x9eC\\xaa\\x01\\x00\\x00(\\x00\\x00\\x00(\\x00\\x00\\x00P\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00N\\x00P\\x00\\x00\\x00\\x00\\x00N!\\x9eC\\xaa\\x01\\x00\\x000\\x002\\x00\\x00\\x00\\x00\\x00\\x9e!\\x9eC\\xaa\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd0!\\x9eC\\xaa\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17052 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "BaseAddress", "value": "0x1aa439e20e8" }, { "name": "Size", "value": "0x00000064" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00m\\x00o\\x00u\\x00s\\x00o\\x00c\\x00o\\x00r\\x00e\\x00w\\x00o\\x00r\\x00k\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 17053 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17054 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5416" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\MoUsoCoreWorker.exe" } ], "repeated": 0, "id": 17055 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17056 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17057 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00bo\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17058 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17059 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17060 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5684" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" } ], "repeated": 0, "id": 17061 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17062 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5684" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" } ], "repeated": 0, "id": 17063 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17064 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5684" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" } ], "repeated": 0, "id": 17065 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17066 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17067 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17068 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00@\\xdepT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17069 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17070 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17071 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17072 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17073 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17074 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17075 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x009\\x007\\x003\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 17076 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!049738" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17077 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17078 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17079 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17080 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17081 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17082 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a38" } ], "repeated": 0, "id": 17083 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x008\\x97\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17084 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17085 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17086 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17087 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17088 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17089 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17090 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00047000" } ], "repeated": 0, "id": 17091 }, { "timestamp": "2026-05-28 22:01:58,787", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17092 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00047000" } ], "repeated": 0, "id": 17093 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5684" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" } ], "repeated": 0, "id": 17094 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17095 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5684" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" } ], "repeated": 0, "id": 17096 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x76f23c4000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x001\\xec\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x10\\x1b\\xf0\\xf1\\xd8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xf1\\xd8\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xf1\\xd8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x1f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x14\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xff\\x14\\xf4}\\x00\\x00\\x00\\x00\\x13\\x17\\xf5}\\x00\\x00(\\x02\\x14\\x17\\xf5}\\x00\\x00P\\x06\\x15\\x17\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\xf2\\xd8\\x01\\x00\\x00" } ], "repeated": 0, "id": 17097 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1d8f1f01b10" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xa0\\x07\\x00\\x00\\xa0\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x10'\\xf0\\xf1\\xd8\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00R\\x00\\x00\\x00\\x00\\x00X!\\xf0\\xf1\\xd8\\x01\\x00\\x00\\x8c\\x00\\x8e\\x00\\x00\\x00\\x00\\x00\\xaa!\\xf0\\xf1\\xd8\\x01\\x00\\x00\\xe0\\x0f\\xf0\\xf1\\xd8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00R\\x00\\x00\\x00\\x00\\x008\"\\xf0\\xf1\\xd8\\x01\\x00\\x00\"\\x00$\\x00\\x00\\x00\\x00\\x00\\x8a\"\\xf0\\xf1\\xd8\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xae\"\\xf0\\xf1\\xd8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17098 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "BaseAddress", "value": "0x1d8f1f021aa" }, { "name": "Size", "value": "0x0000008c" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00S\\x00e\\x00a\\x00r\\x00c\\x00h\\x00F\\x00i\\x00l\\x00t\\x00e\\x00r\\x00H\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x000\\x00 \\x007\\x009\\x002\\x00 \\x007\\x009\\x006\\x00 \\x008\\x000\\x004\\x00 \\x008\\x001\\x009\\x002\\x00 \\x008\\x000\\x000\\x00 \\x007\\x007\\x006\\x00 \\x00" } ], "repeated": 0, "id": 17099 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17100 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5684" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SearchFilterHost.exe" } ], "repeated": 0, "id": 17101 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17102 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17103 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xd5\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17104 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17105 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17106 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3120" } ], "repeated": 0, "id": 17107 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3120" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17108 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17109 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3120" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17110 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17111 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17112 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17113 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17114 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 17115 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17116 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17117 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17118 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17119 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 17120 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17121 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17122 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17123 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 17124 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17125 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17126 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17127 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17128 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 17129 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3120" } ], "repeated": 0, "id": 17130 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3120" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17131 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17132 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17133 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00v\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\xcc\\x06\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17134 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17135 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17136 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3280" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smartscreen.exe" } ], "repeated": 0, "id": 17137 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17138 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3280" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smartscreen.exe" } ], "repeated": 0, "id": 17139 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17140 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3280" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smartscreen.exe" } ], "repeated": 0, "id": 17141 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17142 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17143 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17144 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17145 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17146 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17147 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17148 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17149 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17150 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17151 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17152 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 17153 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17154 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17155 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17156 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17157 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\smartscreen.exe" } ], "repeated": 1, "id": 17158 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\smartscreen.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17159 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\smartscreen.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17160 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x0024b000" } ], "repeated": 0, "id": 17161 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 17162 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17163 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17164 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17165 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 17166 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17167 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17168 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17169 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 17170 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17171 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17172 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 17173 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 17174 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 17175 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 17176 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 17177 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 17178 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17179 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17180 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17181 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 17182 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\smartscreen.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17183 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17184 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smartscreen.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17185 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smartscreen.exe.mui" } ], "repeated": 0, "id": 17186 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17187 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17188 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 17189 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17190 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x0024b000" } ], "repeated": 0, "id": 17191 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\smartscreen.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17192 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17193 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smartscreen.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17194 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\smartscreen.exe.mui" } ], "repeated": 0, "id": 17195 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17196 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17197 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 17198 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17199 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x0024b000" } ], "repeated": 0, "id": 17200 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3280" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smartscreen.exe" } ], "repeated": 0, "id": 17201 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17202 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3280" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smartscreen.exe" } ], "repeated": 0, "id": 17203 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0x2140a9d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00y\\xac\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1a\\xeb\\xefd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\xefd\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd5\\xefd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff?\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\xff\\xf3}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x15\\xff\\xf3}\\x00\\x00\\x00\\x00)\\x01\\xf5}\\x00\\x00(\\x02*\\x01\\xf5}\\x00\\x00P\\x06+\\x01\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00)\\xf0d\\x01\\x00\\x00" } ], "repeated": 0, "id": 17204 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0x164efeb1ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ":\\x07\\x00\\x00:\\x07\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00`&\\xeb\\xefd\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x00H\\x00\\x00\\x00\\x00\\x00\\x08!\\xeb\\xefd\\x01\\x00\\x00\\\\x00^\\x00\\x00\\x00\\x00\\x00P!\\xeb\\xefd\\x01\\x00\\x00\\xe0%\\xf6\\xefd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00F\\x00H\\x00\\x00\\x00\\x00\\x00\\xae!\\xeb\\xefd\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xf6!\\xeb\\xefd\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xf8!\\xeb\\xefd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17205 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0x164efeb2150" }, { "name": "Size", "value": "0x0000005c" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00m\\x00a\\x00r\\x00t\\x00s\\x00c\\x00r\\x00e\\x00e\\x00n\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 17206 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17207 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3280" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\smartscreen.exe" } ], "repeated": 0, "id": 17208 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 17209 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17210 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00z\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb9G\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17211 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17212 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17213 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3692" } ], "repeated": 0, "id": 17214 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3692" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthService.exe" } ], "repeated": 0, "id": 17215 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17216 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3692" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthService.exe" } ], "repeated": 0, "id": 17217 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17218 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17219 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 17220 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17221 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17222 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17223 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17224 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17225 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17226 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17227 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17228 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 17229 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17230 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17231 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17232 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17233 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\securityhealthservice.exe" } ], "repeated": 1, "id": 17234 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\securityhealthservice.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17235 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\securityhealthservice.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17236 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x000f2000" } ], "repeated": 0, "id": 17237 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 17238 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17239 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17240 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17241 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 17242 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17243 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17244 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17245 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 17246 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17247 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17248 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 17249 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 17250 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 17251 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 17252 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 17253 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 17254 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17255 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17256 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17257 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 17258 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthService.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17259 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x000f2000" } ], "repeated": 0, "id": 17260 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthService.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17261 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x000f2000" } ], "repeated": 0, "id": 17262 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc77342cd8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3692" } ], "repeated": 0, "id": 17263 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3692" } ], "repeated": 0, "id": 17264 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3692" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\SecurityHealthService.exe" } ], "repeated": 0, "id": 17265 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17266 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17267 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00|\\x00\\x00\\x00\\x00\\x00\\x00\\x00|R\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17268 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17269 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17270 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6040" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 17271 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17272 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6040" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 17273 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17274 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6040" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 17275 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17276 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17277 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17278 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17279 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17280 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17281 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17282 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17283 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17284 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17285 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x007\\x009\\x009\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 17286 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!047998" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17287 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17288 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17289 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17290 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17291 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 17292 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 17293 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x98y\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17294 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 17295 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17296 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17297 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17298 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17299 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17300 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17301 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\conhost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17302 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Conhost.exe.mui" } ], "repeated": 0, "id": 17303 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17304 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17305 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17306 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17307 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x000db000" } ], "repeated": 0, "id": 17308 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17309 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17310 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\conhost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17311 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Conhost.exe.mui" } ], "repeated": 0, "id": 17312 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17313 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17314 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17315 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17316 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x000db000" } ], "repeated": 0, "id": 17317 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6040" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 17318 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x31ad61b000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x88\\x99\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p\\x1c\\xc9oT\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc9oT\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5oT\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\xa8E\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xa8E\\xf4}\\x00\\x00\\x00\\x00\\xbcG\\xf5}\\x00\\x00(\\x02\\xbdG\\xf5}\\x00\\x00P\\x06\\xbeG\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x16pT\\x01\\x00\\x00" } ], "repeated": 0, "id": 17319 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1546fc91c70" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "$\\x07\\x00\\x00$\\x07\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0'\\xc9oT\\x01\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xc0\"\\xc9oT\\x01\\x00\\x00N\\x00P\\x00\\x00\\x00\\x00\\x00\\x00#\\xc9oT\\x01\\x00\\x00\\xe0\\x0f\\xc9oT\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00p#\\xc9oT\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00r#\\xc9oT\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x92#\\xc9oT\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17320 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1546fc92300" }, { "name": "Size", "value": "0x0000004e" }, { "name": "Buffer", "value": "\\\\x00?\\x00?\\x00\\\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00c\\x00o\\x00n\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x000\\x00x\\x004\\x00" } ], "repeated": 0, "id": 17321 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17322 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6040" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 17323 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17324 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17325 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9em\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17326 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17327 }, { "timestamp": "2026-05-28 22:01:58,803", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17328 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5920" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17329 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17330 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5920" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17331 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17332 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5920" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17333 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17334 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17335 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17336 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17337 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 17338 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a7c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17339 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17340 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17341 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17342 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 17343 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17344 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17345 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17346 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 17347 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a30" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17348 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17349 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17350 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17351 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 17352 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5920" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17353 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x97852c7000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2@\\x9b\\xab\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x9b\\xab\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x9b\\xab\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00!?\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07!?\\xf4}\\x00\\x00\\x00\\x005A\\xf5}\\x00\\x00(\\x026A\\xf5}\\x00\\x00P\\x067A\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x80\\x9b\\xab\\x01\\x00\\x00" } ], "repeated": 0, "id": 17354 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1ab9b403270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "t\\x07\\x00\\x00t\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00`>@\\x9b\\xab\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88@\\x9b\\xab\\x01\\x00\\x00\\xa6\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\xf88@\\x9b\\xab\\x01\\x00\\x00\\xf0'@\\x9b\\xab\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xa09@\\x9b\\xab\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe09@\\x9b\\xab\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe29@\\x9b\\xab\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17355 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1ab9b4038f8" }, { "name": "Size", "value": "0x000000a6" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00W\\x00d\\x00i\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00H\\x00o\\x00s\\x00t\\x00" } ], "repeated": 0, "id": 17356 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17357 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5920" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17358 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17359 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17360 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9b\\x87\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17361 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17362 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17363 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3484" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17364 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17365 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3484" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17366 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17367 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3484" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17368 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17369 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17370 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17371 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17372 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17373 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3484" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17374 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17375 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3484" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17376 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0xb02e87d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x86\\xb1\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x1c\\xa1\\x86r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\x86r\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\x86r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00[\\xd3\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07[\\xd3\\xf4}\\x00\\x00\\x00\\x00o\\xd5\\xf5}\\x00\\x00(\\x02p\\xd5\\xf5}\\x00\\x00P\\x06q\\xd5\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xf9\\x86r\\x02\\x00\\x00" } ], "repeated": 0, "id": 17377 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x27286a11c00" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xe4\\x07\\x00\\x00\\xe4\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x08\\x02\\x00\\x00\\x00\\x00@(\\xa1\\x86r\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00H\"\\xa1\\x86r\\x02\\x00\\x00\\x80\\x00\\x82\\x00\\x00\\x00\\x00\\x00\\xc4\"\\xa1\\x86r\\x02\\x00\\x00P\\xf3\\xa6\\x86r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01P\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x00\\x00\\x00\\x00 e\\xa6\\x86r\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xc2#\\xa1\\x86r\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe2#\\xa1\\x86r\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17378 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x27286a122c4" }, { "name": "Size", "value": "0x00000080" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00" } ], "repeated": 0, "id": 17379 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17380 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3484" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17381 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17382 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17383 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00>\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\xd3\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17384 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17385 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17386 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3344" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17387 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17388 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3344" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17389 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17390 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3344" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17391 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17392 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17393 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17394 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17395 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17396 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3344" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17397 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17398 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3344" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17399 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0xf6fbc75000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x86\\xb1\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x1c\\xeb\\xddG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\xddG\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd7\\xddG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00#\\xd9\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07#\\xd9\\xf4}\\x00\\x00\\x00\\x007\\xdb\\xf5}\\x00\\x00(\\x028\\xdb\\xf5}\\x00\\x00P\\x069\\xdb\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfe\\xddG\\x02\\x00\\x00" } ], "repeated": 0, "id": 17400 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x247ddeb1c00" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x92\\x0b\\x00\\x00\\x92\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0+\\xeb\\xddG\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00H\"\\xeb\\xddG\\x02\\x00\\x00.\\x040\\x04\\x00\\x00\\x00\\x00\\xc4\"\\xeb\\xddG\\x02\\x00\\x00\\xe0\\x0f\\xeb\\xddG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00\\xf4&\\xeb\\xddG\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00p'\\xeb\\xddG\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x90'\\xeb\\xddG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17401 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x247ddeb22c4" }, { "name": "Size", "value": "0x0000042e" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00c\\x00r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00-\\x00h\\x00a\\x00n\\x00d\\x00l\\x00e\\x00r\\x00 \\x00-\\x00-\\x00u\\x00s\\x00e\\x00r\\x00-\\x00d\\x00a\\x00t\\x00a\\x00-\\x00d\\x00i\\x00r\\x00=\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00R\\x00o\\x00a\\x00" } ], "repeated": 0, "id": 17402 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17403 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3344" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17404 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a30" } ], "repeated": 0, "id": 17405 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17406 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xddpT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xddpT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xdepT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\xdb\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17407 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17408 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17409 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6236" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17410 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17411 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6236" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17412 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17413 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6236" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17414 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17415 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17416 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17417 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17418 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17419 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6236" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17420 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17421 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "583" }, { "name": "y", "value": "373" } ], "repeated": 0, "id": 17422 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 17423 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "580" }, { "name": "y", "value": "372" } ], "repeated": 0, "id": 17424 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 17425 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6236" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17426 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x34d7036000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x86\\xb1\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x1c\\xb3i\\xdb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb3i\\xdb\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98i\\xdb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff?\\x00\\x00\\x00\\x00\\x00\\x00\\xfd\\xc7\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xfd\\xc7\\xf4}\\x00\\x00\\x00\\x00\\x11\\xca\\xf5}\\x00\\x00(\\x02\\x12\\xca\\xf5}\\x00\\x00P\\x06\\x13\\xca\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xf6i\\xdb\\x01\\x00\\x00" } ], "repeated": 0, "id": 17427 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1db69b31c80" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "H\\x0e\\x00\\x00H\\x0e\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x08\\x02\\x00\\x00\\x00\\x00 /\\xb3i\\xdb\\x01\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00\\xc8\"\\xb3i\\xdb\\x01\\x00\\x00\\xe4\\x06\\xe6\\x06\\x00\\x00\\x00\\x00D#\\xb3i\\xdb\\x01\\x00\\x00\\xe0\\x0f\\xb3i\\xdb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00**\\xb3i\\xdb\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xa6*\\xb3i\\xdb\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xc6*\\xb3i\\xdb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17428 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1db69b32344" }, { "name": "Size", "value": "0x000006e4" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00n\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00" } ], "repeated": 0, "id": 17429 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17430 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6236" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17431 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17432 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17433 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xd2\\xabT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xd2\\xabT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xd3\\xabT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00E\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\xe3\\x07\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17434 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17435 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17436 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6772" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17437 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17438 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6772" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17439 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17440 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6772" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17441 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17442 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17443 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17444 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17445 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 17446 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6772" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17447 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17448 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6772" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17449 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0xdd633c6000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x86\\xb1\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x80\\x1cR\\xad\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\xad\\x82\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\xad\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\\xa1\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xaa\\xa1\\xf4}\\x00\\x00\\x00\\x00\\xbe\\xa3\\xf5}\\x00\\x00(\\x02\\xbf\\xa3\\xf5}\\x00\\x00P\\x06\\xc0\\xa3\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x91\\xad\\x82\\x02\\x00\\x00" } ], "repeated": 0, "id": 17450 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x282ad521c80" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x82\\x0e\\x00\\x00\\x82\\x0e\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x08\\x02\\x00\\x00\\x00\\x00`/R\\xad\\x82\\x02\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00\\xc8\"R\\xad\\x82\\x02\\x00\\x00\\xde\\x06\\xe0\\x06\\x00\\x00\\x00\\x00D#R\\xad\\x82\\x02\\x00\\x00\\xe0\\x0fR\\xad\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00|\\x00\\x00\\x00\\x00\\x00$*R\\xad\\x82\\x02\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00\\xa0*R\\xad\\x82\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00+R\\xad\\x82\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17451 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x282ad522344" }, { "name": "Size", "value": "0x000006de" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00o\\x00c\\x00a\\x00l\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00\\\\x00a\\x00p\\x00p\\x00-\\x001\\x00.\\x000\\x00.\\x009\\x002\\x003\\x008\\x00\\\\x00D\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00a\\x00u\\x00d\\x00i\\x00o\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00A\\x00u\\x00d\\x00i\\x00o\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00-\\x00l\\x00a\\x00n\\x00" } ], "repeated": 0, "id": 17452 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17453 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6772" }, { "name": "ProcessName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 17454 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17455 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17456 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\xc4\\xedS\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00H\\xc4\\xedS\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xc4\\xedS\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00J\\x00\\x00\\x00\\x00\\x00\\x00\\x00q\\x1d\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17457 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17458 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17459 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6580" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17460 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17461 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6580" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17462 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17463 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6580" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17464 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17465 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17466 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17467 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17468 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17469 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6580" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17470 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17471 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6580" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17472 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0xcdbc957000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x05\\xd0\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00@\\x1d\\x94Hk\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x94Hk\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00xHk\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\xc2\\xba\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xc2\\xba\\xf4\\x7f\\x00\\x00\\x00\\x00\\xd6\\xbc\\xf5\\x7f\\x00\\x00(\\x02\\xd7\\xbc\\xf5\\x7f\\x00\\x00P\\x06\\xd8\\xbc\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xd8Hk\\x02\\x00\\x00" } ], "repeated": 0, "id": 17473 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x26b48941d40" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xb0\\x0b\\x00\\x00\\xb0\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00:\\x00\\x08\\x02\\x00\\x00\\x00\\x00P-\\x94Hk\\x02\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x88#\\x94Hk\\x02\\x00\\x00<\\x04>\\x04\\x00\\x00\\x00\\x00\\x0c$\\x94Hk\\x02\\x00\\x00\\xe0\\x0f\\x94Hk\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00J(\\x94Hk\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xce(\\x94Hk\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xee(\\x94Hk\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17474 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x26b4894240c" }, { "name": "Size", "value": "0x0000043c" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00c\\x00r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00-\\x00h\\x00a\\x00n\\x00d\\x00l\\x00e\\x00r\\x00 \\x00/\\x00p\\x00r\\x00e\\x00f\\x00e\\x00t\\x00c\\x00h\\x00:\\x004\\x00 \\x00-\\x00-\\x00m\\x00a\\x00x\\x00-\\x00u\\x00p\\x00l\\x00o\\x00a\\x00d\\x00s\\x00=\\x005\\x00 \\x00-\\x00-\\x00m\\x00a\\x00x\\x00-\\x00d\\x00b\\x00" } ], "repeated": 0, "id": 17475 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17476 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6580" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17477 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17478 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17479 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\xc4\\xedS\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00H\\xc4\\xedS\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\xc4\\xedS\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00F\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98L\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17480 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17481 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17482 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7052" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17483 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17484 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7052" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17485 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17486 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7052" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17487 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17488 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17489 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17490 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17491 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17492 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7052" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17493 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17494 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7052" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17495 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0xcdafcdd000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x05\\xd0\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1d\\x1cT\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1cT\\x1f\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\nT\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\x07\\x00\\x00\\x00\\xa1\\xbc\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xa1\\xbc\\xf4\\x7f\\x00\\x00\\x00\\x00\\xb5\\xbe\\xf5\\x7f\\x00\\x00(\\x02\\xb6\\xbe\\xf5\\x7f\\x00\\x00P\\x06\\xb7\\xbe\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x8dT\\x1f\\x02\\x00\\x00" } ], "repeated": 0, "id": 17496 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x21f541c1dc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xf2\r\\x00\\x00\\xf2\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff:\\x00\\x08\\x02\\x00\\x00\\x00\\x00P\\xea+T\\x1f\\x02\\x00\\x00\\xb0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x08$\\x1cT\\x1f\\x02\\x00\\x00~\\x06\\x80\\x06\\x00\\x00\\x00\\x00\\x8c$\\x1cT\\x1f\\x02\\x00\\x00 \\xc7'T\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x0c+\\x1cT\\x1f\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\x90+\\x1cT\\x1f\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb0+\\x1cT\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17497 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x21f541c248c" }, { "name": "Size", "value": "0x0000067e" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00g\\x00p\\x00u\\x00-\\x00p\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00-\\x00-\\x00s\\x00t\\x00a\\x00r\\x00t\\x00-\\x00s\\x00t\\x00a\\x00c\\x00k\\x00-\\x00p\\x00r\\x00o\\x00f\\x00i\\x00l\\x00e\\x00r\\x00 \\x00-\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00-\\x00c\\x00h\\x00r\\x00o\\x00m\\x00e\\x00-\\x00r\\x00u\\x00" } ], "repeated": 0, "id": 17498 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17499 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7052" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17500 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17501 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17502 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xca\\xedS\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xca\\xedS\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xcb\\xedS\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11Y\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17503 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17504 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17505 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6320" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17506 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17507 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6320" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17508 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17509 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6320" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17510 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17511 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17512 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17513 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17514 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17515 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6320" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17516 }, { "timestamp": "2026-05-28 22:01:58,818", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17517 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6320" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17518 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0xc65e060000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x05\\xd0\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1d\\x8bX\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8bX\\xf9\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|X\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x00\\x8b&\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x8b&\\xf4\\x7f\\x00\\x00\\x00\\x00\\x9f(\\xf5\\x7f\\x00\\x00(\\x02\\xa0(\\xf5\\x7f\\x00\\x00P\\x06\\xa1(\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17519 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1f9588b1dc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "^\r\\x00\\x00^\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff:\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x80/\\x8bX\\xf9\\x01\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x08$\\x8bX\\xf9\\x01\\x00\\x00\\xaa\\x05\\xac\\x05\\x00\\x00\\x00\\x00\\x8c$\\x8bX\\xf9\\x01\\x00\\x00\\xe0\\x0f\\x8bX\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x008*\\x8bX\\xf9\\x01\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00\\xbc*\\x8bX\\xf9\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1c+\\x8bX\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17520 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x1f9588b248c" }, { "name": "Size", "value": "0x000005aa" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00s\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00S\\x00e\\x00r\\x00v\\x00i\\x00" } ], "repeated": 0, "id": 17521 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17522 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6320" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17523 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17524 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17525 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xca\\xedS\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xca\\xedS\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xcb\\xedS\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00V\\x00\\x00\\x00\\x00\\x00\\x00\\x00b^\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17526 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17527 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17528 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17529 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17530 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17531 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17532 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17533 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17534 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17535 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17536 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17537 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 17538 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17539 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17540 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17541 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17542 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 17543 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17544 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 17545 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 17546 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 17547 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17548 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17549 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17550 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17551 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 17552 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17553 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x5cecaaf000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2\\xc00\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf0\\x1f\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xba0\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfem\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xfem\\xf4}\\x00\\x00\\x00\\x00\\x12p\\xf5}\\x00\\x00(\\x02\\x13p\\xf5}\\x00\\x00P\\x06\\x14p\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x111\\x1f\\x02\\x00\\x00" } ], "repeated": 0, "id": 17554 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x21f30c03270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "f\\x07\\x00\\x00f\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00P>\\xc00\\x1f\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88\\xc00\\x1f\\x02\\x00\\x00\\x98\\x00\\x9a\\x00\\x00\\x00\\x00\\x00\\xf88\\xc00\\x1f\\x02\\x00\\x00\\xf0'\\xc00\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x929\\xc00\\x1f\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd29\\xc00\\x1f\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xd49\\xc00\\x1f\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17555 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x21f30c038f8" }, { "name": "Size", "value": "0x00000098" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00L\\x00o\\x00c\\x00a\\x00l\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00R\\x00e\\x00s\\x00t\\x00r\\x00i\\x00c\\x00t\\x00e\\x00d\\x00 \\x00-\\x00p\\x00 \\x00-\\x00s\\x00 \\x00N\\x00g\\x00c\\x00S\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 17556 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17557 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7956" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 17558 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17559 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17560 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xca\\xedS\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xca\\xedS\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xcb\\xedS\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00Y\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9\\xb6\\x08\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17561 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17562 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17563 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4576" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17564 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17565 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4576" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17566 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17567 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4576" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17568 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17569 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17570 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17571 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 17572 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 17573 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4576" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17574 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17575 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4576" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17576 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0xf70cc1e000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x05\\xd0\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00 \\x13yq\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00yq\\xb0\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Xq\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff?\\x00\\x00\\x00\\xb0\\xac\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xb0\\xac\\xf4\\x7f\\x00\\x00\\x00\\x00\\xc4\\xae\\xf5\\x7f\\x00\\x00(\\x02\\xc5\\xae\\xf5\\x7f\\x00\\x00P\\x06\\xc6\\xae\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17577 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x2b071791320" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x8a\\x0e\\x00\\x00\\x8a\\x0e\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff:\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x10&yq\\xb0\\x02\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00h\\x19yq\\xb0\\x02\\x00\\x00\\xd6\\x06\\xd8\\x06\\x00\\x00\\x00\\x00\\xec\\x19yq\\xb0\\x02\\x00\\x00\\xf0\\xf3\\x80q\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\xc4 yq\\xb0\\x02\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00H!yq\\xb0\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa8!yq\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17578 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "BaseAddress", "value": "0x2b0717919ec" }, { "name": "Size", "value": "0x000006d6" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00S\\x00t\\x00e\\x00a\\x00m\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00c\\x00e\\x00f\\x00\\\\x00c\\x00e\\x00f\\x00.\\x00w\\x00i\\x00n\\x006\\x004\\x00\\\\x00s\\x00t\\x00e\\x00a\\x00m\\x00w\\x00e\\x00b\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00r\\x00e\\x00n\\x00d\\x00e\\x00r\\x00e\\x00r\\x00 \\x00-\\x00-\\x00s\\x00t\\x00a\\x00r\\x00t\\x00-\\x00s\\x00t\\x00a\\x00c\\x00k\\x00-\\x00p\\x00r\\x00o\\x00f\\x00i\\x00l\\x00e\\x00r\\x00 \\x00-\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00-\\x00c\\x00h\\x00r\\x00o\\x00m\\x00e\\x00-\\x00r\\x00u\\x00n\\x00t\\x00i\\x00" } ], "repeated": 0, "id": 17579 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17580 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4576" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 17581 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17582 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17583 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0e\\x1fT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x18f\\x1fT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x008f\\x1fT\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00I\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf\\x0b\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17584 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17585 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17586 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1084" }, { "name": "ProcessName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\WinStore.App.exe" } ], "repeated": 0, "id": 17587 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17588 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1084" }, { "name": "ProcessName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\WinStore.App.exe" } ], "repeated": 0, "id": 17589 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 17590 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17591 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\x0c\\x1aT\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\x0c\\x1aT\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\r\\x1aT\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xfe\r\\x1aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x0e\\x1aT\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x18\\x0e\\x1aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x0e\\x1aT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00@\\x0e\\x1aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x0e\\x1aT\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00p\\x00p\\x00\\x00\\x00\\x00\\x00@\r\\x1aT\\x92\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xb0\r\\x1aT\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00\\xb6\r\\x1aT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 17592 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17593 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17594 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 17595 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 17596 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 17597 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 17598 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 17599 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17600 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\x0e\\xacT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 17601 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 17602 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17603 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17604 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17605 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17606 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17607 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17608 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xbf\\xacT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00U\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 17609 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 17610 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 17611 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17612 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^90" } ], "repeated": 0, "id": 17613 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^90" } ], "repeated": 0, "id": 17614 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17615 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17616 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17617 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17618 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17619 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17620 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17621 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17622 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17623 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17624 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17625 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17626 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xbe\\xacT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 17627 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 17628 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 17629 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17630 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^90" } ], "repeated": 0, "id": 17631 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^90" } ], "repeated": 0, "id": 17632 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17633 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17634 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17635 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17636 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17637 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17638 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 17639 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 17640 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17641 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17642 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c26e8", "parentcaller": "0x7ffc756c279b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xef\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00r\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00t\\x00o\\x00r\\x00e\\x00_\\x001\\x001\\x009\\x001\\x000\\x00.\\x001\\x000\\x000\\x002\\x00.\\x005\\x00.\\x000\\x00_\\x00" } ], "repeated": 0, "id": 17643 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 17644 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17645 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17646 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a30" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17647 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000a30" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17648 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c4086", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17649 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c40c3", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus" } ], "repeated": 0, "id": 17650 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c40d4", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17651 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 17652 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc61105d4a", "parentcaller": "0x7ffc6110618f", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 17653 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdc16", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17654 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17655 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17656 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17657 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17658 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17659 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin" } ], "repeated": 0, "id": 17660 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17661 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756bdcce", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17662 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756bdcce", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 1, "id": 17663 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7572ad43", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17664 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c26e8", "parentcaller": "0x7ffc756c279b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xe7\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03N\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x07\\x02x\\xfc\\x7f\\x00\\x00\\xe7\\xddh\\xfa" } ], "repeated": 0, "id": 17665 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 17666 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17667 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17668 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a30" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17669 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000a30" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17670 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c4086", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17671 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c40c3", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus" } ], "repeated": 0, "id": 17672 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756c40d4", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17673 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bd566", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17674 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17675 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17676 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17677 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17678 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17679 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "PackageFullName" }, { "name": "Data", "value": "Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFullName" } ], "repeated": 0, "id": 17680 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "PackageFamily" }, { "name": "Data", "value": "78" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFamily" } ], "repeated": 0, "id": 17681 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "PackageType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageType" } ], "repeated": 0, "id": 17682 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 17683 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "Flags2" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags2" } ], "repeated": 0, "id": 17684 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin" } ], "repeated": 0, "id": 17685 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "Volume" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Volume" } ], "repeated": 0, "id": 17686 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a189d", "parentcaller": "0x7ffc756bf035", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "OSMaxVersionTested" }, { "name": "Data", "value": "\\x00\\x00UE\\x00\\x00\n\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\OSMaxVersionTested" } ], "repeated": 0, "id": 17687 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17688 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17689 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "MutableLocation" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLocation" } ], "repeated": 0, "id": 17690 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc7572d320", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "TargetDeviceFamilyName" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\TargetDeviceFamilyName" } ], "repeated": 0, "id": 17691 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17692 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756bd61d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17693 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756bd61d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17694 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7800fa15", "parentcaller": "0x7ffc6a149dce", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion" } ], "repeated": 0, "id": 17695 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7800fa41", "parentcaller": "0x7ffc6a149dce", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17696 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7800f97c", "parentcaller": "0x7ffc6a149dce", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" } ], "repeated": 0, "id": 17697 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7800f9ac", "parentcaller": "0x7ffc6a149dce", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17698 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17699 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17700 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17701 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17702 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17703 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17704 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xbc\\xacT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 17705 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 17706 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 17707 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17708 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^90" } ], "repeated": 0, "id": 17709 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^90" } ], "repeated": 0, "id": 17710 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17711 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17712 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17713 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17714 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17715 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17716 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17717 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17718 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17719 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17720 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17721 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17722 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xc0\\xacT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 17723 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 17724 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 17725 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17726 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^90" } ], "repeated": 0, "id": 17727 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^90" } ], "repeated": 0, "id": 17728 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17729 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17730 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17731 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17732 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17733 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17734 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc6a12f3d5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17735 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17736 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6a14726d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17737 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc6a1472d1", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17738 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6a147302", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17739 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6a146f0d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17740 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc6a15d91c", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 17741 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17742 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6a146913", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17743 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc6a12f481", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17744 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc6a12f481", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17745 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xe6\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\t\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00@\\xe7\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 17746 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17747 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc755e2450", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" } ], "repeated": 0, "id": 17748 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc755e2486", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17749 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a13d19e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "ValueName", "value": "CachedMergedResourcesPriFileName" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName" } ], "repeated": 0, "id": 17750 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a13d230", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "ValueName", "value": "CachedMergedResourcesPriFileName" }, { "name": "Data", "value": "S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName" } ], "repeated": 0, "id": 17751 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a15d1f4", "parentcaller": "0x7ffc6a13e2c6", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt" } ], "repeated": 0, "id": 17752 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6a15814d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\AppxDeploymentClient" }, { "name": "DllBase", "value": "0x7ffc6e250000" } ], "repeated": 0, "id": 17753 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-crt-private-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc75d00000" } ], "repeated": 0, "id": 17754 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6a15814d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "AppxDeploymentClient.dll" }, { "name": "BaseAddress", "value": "0x7ffc6e250000" } ], "repeated": 0, "id": 17755 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6a15814d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6e250000", "arguments": [ { "name": "lpLibFileName", "value": "AppxDeploymentClient.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 17756 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6a158172", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6e250000" }, { "name": "FunctionName", "value": "GetMetadataRootForPackage" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6e259b30" } ], "repeated": 0, "id": 17757 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17758 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-onecore-appmodel-staterepository-cache-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc6a6a0000" } ], "repeated": 0, "id": 17759 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6a6a0000", "arguments": [ { "name": "lpLibFileName", "value": "ext-ms-onecore-appmodel-staterepository-cache-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 17760 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheManager_Open" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a1200" } ], "repeated": 0, "id": 17761 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17762 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc6e259b9b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a94" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17763 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a94" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a98" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17764 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17765 }, { "timestamp": "2026-05-28 22:01:58,834", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_Open" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a10c0" } ], "repeated": 0, "id": 17766 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17767 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6e25b9da", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a94" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a84" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17768 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17769 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_EnumerateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a16e0" } ], "repeated": 0, "id": 17770 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17771 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc6e25ba2d", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17772 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17773 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_Close" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a1630" } ], "repeated": 0, "id": 17774 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17775 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6e25ba58", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 17776 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17777 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o__ui64tow_s" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d171a0" } ], "repeated": 0, "id": 17778 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17779 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6e259dea", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a94" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a84" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17780 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17781 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_GetField_UInt32" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a1670" } ], "repeated": 0, "id": 17782 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17783 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc6e25b10d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 17784 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6e259e77", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 17785 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17786 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheManager_Close" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a17d0" } ], "repeated": 0, "id": 17787 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17788 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc6e259eed", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 17789 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc6e259eed", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 17790 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17791 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o_free" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d15f10" } ], "repeated": 0, "id": 17792 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17793 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17794 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "memcpy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d48b70" } ], "repeated": 0, "id": 17795 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17796 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc6e259b9b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a94" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17797 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a94" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a98" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17798 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6e25b9da", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a94" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a84" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17799 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc6e25ba2d", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17800 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6e25ba58", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 17801 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc6e259dea", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a94" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a84" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17802 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a16ad", "parentcaller": "0x7ffc6e25b10d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 17803 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc6e259e77", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 17804 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc6e259eed", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 17805 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc6e259eed", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 17806 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78020444", "parentcaller": "0x7ffc6e266510", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17807 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78020444", "parentcaller": "0x7ffc78020356", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17808 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17809 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o__execute_onexit_table" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d14120" } ], "repeated": 0, "id": 17810 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17811 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc6e25f582", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 17812 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e25f54b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 17813 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26243b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17814 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6e26254c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o___std_type_info_destroy_list" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d14140" } ], "repeated": 0, "id": 17815 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17816 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc6e26264c", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\AppxDeploymentClient" }, { "name": "DllBase", "value": "0x7ffc6e250000" } ], "repeated": 0, "id": 17817 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78040db0", "parentcaller": "0x7ffc78000391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e250000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 17818 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e07f5", "parentcaller": "0x7ffc6a15f1be", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } ], "repeated": 0, "id": 17819 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a13e040", "parentcaller": "0x7ffc6a15ccad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17820 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 17821 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17822 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 17823 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a132bda", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } ], "repeated": 0, "id": 17824 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17825 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00p\\x01\\x00\\x00\\x00\\x00\\x00Pg\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17826 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } ], "repeated": 0, "id": 17827 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a7c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09e1fe490" }, { "name": "ViewSize", "value": "0x00017000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17828 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17829 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17830 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a132bda", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri" } ], "repeated": 0, "id": 17831 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e1e5c", "parentcaller": "0x7ffc6a132bda", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\resources.pri" } ], "repeated": 0, "id": 17832 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdf\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\x10\\xee\\xabT\\x92\\x02\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\t\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\xf0\\xdf\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 17833 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17834 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc755e2450", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a30" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" } ], "repeated": 0, "id": 17835 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc755e2486", "parentcaller": "0x7ffc6a13d33f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17836 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a13d19e", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "ValueName", "value": "Language" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\Language" } ], "repeated": 0, "id": 17837 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a13dffb", "parentcaller": "0x7ffc6a1350be", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17838 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6ea000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17839 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6ea000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17840 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xdb\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`Rru\\xfc\\x7f\\x00\\x00\\xe0Rnj\\xfc\\x7f\\x00\\x000\\xa0nj\\xfc\\x7f\\x00\\x00\\xdc\\x04\\xfew\\xfc\\x7f\\x00\\x00\\x80#^u\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 17841 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17842 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc755e2450", "parentcaller": "0x7ffc6a6c2d0d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" } ], "repeated": 0, "id": 17843 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc755e2486", "parentcaller": "0x7ffc6a6c2d0d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17844 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xd1\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xf7\\xd3\\x1f\\x9e\\xf0\\x00\\x00\\x006\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\x1f\\x9e\\xf0\\x00\\x00\\x00B\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17845 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17846 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17847 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000a7c" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe" } ], "repeated": 0, "id": 17848 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c50dc", "parentcaller": "0x7ffc756c4da8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17849 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4e18", "parentcaller": "0x7ffc756c4cae", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe" } ], "repeated": 0, "id": 17850 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a50" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17851 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000a50" }, { "name": "ObjectAttributesName", "value": "Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe" } ], "repeated": 0, "id": 17852 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4fee", "parentcaller": "0x7ffc756c4e3e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Flags" } ], "repeated": 0, "id": 17853 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4ffa", "parentcaller": "0x7ffc756c4e3e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17854 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4e18", "parentcaller": "0x7ffc756c4cae", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "1" }, { "name": "Name", "value": "Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17855 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a50" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17856 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000a50" }, { "name": "ObjectAttributesName", "value": "Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17857 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4fee", "parentcaller": "0x7ffc756c4e3e", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\Flags" } ], "repeated": 0, "id": 17858 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4ffa", "parentcaller": "0x7ffc756c4e3e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17859 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4e18", "parentcaller": "0x7ffc756c4cae", "category": "registry", "api": "RegEnumKeyExW", "status": false, "return": "0x00000103", "pretty_return": "NO_MORE_ITEMS", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "Index", "value": "2" }, { "name": "Name", "value": "" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\" } ], "repeated": 0, "id": 17860 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756c4ef4", "parentcaller": "0x7ffc756c4cae", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17861 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17862 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a50" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17863 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a50" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a94" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17864 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17865 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 17866 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf308", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a50" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a94" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17867 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17868 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 17869 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17870 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17871 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xd8\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\x89\\xd9\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17872 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756ddff8", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17873 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6c203f", "parentcaller": "0x7ffc6a6c1f4a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a50" }, { "name": "SubKey", "value": "" }, { "name": "Handle", "value": "0x00000a7c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\" } ], "repeated": 0, "id": 17874 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6c20e4", "parentcaller": "0x7ffc6a6c1f4a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a7c" }, { "name": "SubKey", "value": "Control Panel\\International\\User Profile" }, { "name": "Handle", "value": "0x00000a94" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile" } ], "repeated": 0, "id": 17875 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6c2123", "parentcaller": "0x7ffc6a6c1f4a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 17876 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a6c1a0f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" }, { "name": "ValueName", "value": "Languages" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 17877 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a6c1abc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" }, { "name": "ValueName", "value": "Languages" }, { "name": "Data", "value": "\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages" } ], "repeated": 0, "id": 17878 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6ea000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17879 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6a6ea000" }, { "name": "ModuleName", "value": "bcp47mrm.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17880 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6c3cc9", "parentcaller": "0x7ffc6a6c2247", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 17881 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6c3cde", "parentcaller": "0x7ffc6a6c2247", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17882 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a6c1a0f", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "ValueName", "value": "ManifestLanguagesList" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\ManifestLanguagesList" } ], "repeated": 0, "id": 17883 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a6c1abc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "ValueName", "value": "ManifestLanguagesList" }, { "name": "Data", "value": "\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\ManifestLanguagesList" } ], "repeated": 0, "id": 17884 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6a6c1a0f", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "ValueName", "value": "OverrideLanguagesList" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\OverrideLanguagesList" } ], "repeated": 0, "id": 17885 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc6a6c34f3", "parentcaller": "0x7ffc6a6c29d0", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17886 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17887 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc75724097", "parentcaller": "0x7ffc6a12ec60", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a30" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\\x1d\\x00\\x00\\x00\\x00\\x00\\xd09\\x1d\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 17888 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756df0e1", "parentcaller": "0x7ffc756def40", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a30" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri" } ], "repeated": 0, "id": 17889 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a7c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "SectionOffset", "value": "0xf09e1fe180" }, { "name": "ViewSize", "value": "0x001d4000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17890 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed05", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 17891 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6a12ed17", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 17892 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 17893 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc730ad469", "parentcaller": "0x7ffc730ad2ee", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 17894 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 6, "id": 17895 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00017000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 17896 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571eb53", "parentcaller": "0x7ffc6a12e4df", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x001d4000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 17897 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 17898 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 17899 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1084" }, { "name": "ProcessName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\WinStore.App.exe" } ], "repeated": 0, "id": 17900 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17901 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 17902 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a90" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17903 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007d4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17904 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17905 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17906 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17907 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17908 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin" } ], "repeated": 0, "id": 17909 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17910 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17911 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 1, "id": 17912 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17913 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03N\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x07\\x02x\\xfc\\x7f\\x00\\x00\\xb7\\xef\\xa8\\xf9" } ], "repeated": 0, "id": 17914 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 17915 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17916 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17917 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000007d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 17918 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000007d4" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17919 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17920 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a90" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus" } ], "repeated": 0, "id": 17921 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17922 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a90" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17923 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007d4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17924 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17925 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17926 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17927 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17928 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "PackageFullName" }, { "name": "Data", "value": "Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFullName" } ], "repeated": 0, "id": 17929 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "PackageFamily" }, { "name": "Data", "value": "78" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFamily" } ], "repeated": 0, "id": 17930 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "PackageType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageType" } ], "repeated": 0, "id": 17931 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 17932 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "Flags2" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags2" } ], "repeated": 0, "id": 17933 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin" } ], "repeated": 0, "id": 17934 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "579" }, { "name": "y", "value": "372" } ], "repeated": 0, "id": 17935 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "Volume" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Volume" } ], "repeated": 0, "id": 17936 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "OSMaxVersionTested" }, { "name": "Data", "value": "\\x00\\x00UE\\x00\\x00\n\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\OSMaxVersionTested" } ], "repeated": 0, "id": 17937 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 17938 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17939 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17940 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "MutableLocation" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLocation" } ], "repeated": 0, "id": 17941 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "372" } ], "repeated": 0, "id": 17942 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17943 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17944 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17945 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion" } ], "repeated": 0, "id": 17946 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17947 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" } ], "repeated": 0, "id": 17948 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17949 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a90" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17950 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007d4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17951 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17952 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17953 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17954 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17955 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\x9f\\x8bT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 17956 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 17957 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 17958 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17959 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^90" } ], "repeated": 0, "id": 17960 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^90" } ], "repeated": 0, "id": 17961 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17962 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17963 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17964 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17965 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17966 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17967 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a90" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17968 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007d4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17969 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17970 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17971 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17972 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 17973 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\x93\\x8bT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00w\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 17974 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 17975 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 17976 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17977 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^90" } ], "repeated": 0, "id": 17978 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^90" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^90" } ], "repeated": 0, "id": 17979 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17980 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17981 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink" } ], "repeated": 0, "id": 17982 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17983 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17984 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17985 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a90" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 17986 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x000007d4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 17987 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 17988 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 17989 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17990 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a38" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 17991 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 17992 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation" } ], "repeated": 0, "id": 17993 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 17994 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 17995 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 17996 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\t\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 17997 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 17998 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a90" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" }, { "name": "Handle", "value": "0x000007d4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig" } ], "repeated": 0, "id": 17999 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18000 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "ValueName", "value": "CachedMergedResourcesPriFileName" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName" } ], "repeated": 0, "id": 18001 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "ValueName", "value": "CachedMergedResourcesPriFileName" }, { "name": "Data", "value": "S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName" } ], "repeated": 0, "id": 18002 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt" } ], "repeated": 0, "id": 18003 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\AppxDeploymentClient" }, { "name": "DllBase", "value": "0x7ffc6e250000" } ], "repeated": 0, "id": 18004 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-crt-private-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc75d00000" } ], "repeated": 0, "id": 18005 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "AppxDeploymentClient.dll" }, { "name": "BaseAddress", "value": "0x7ffc6e250000" } ], "repeated": 0, "id": 18006 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6e250000", "arguments": [ { "name": "lpLibFileName", "value": "AppxDeploymentClient.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 18007 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6e250000" }, { "name": "FunctionName", "value": "GetMetadataRootForPackage" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6e259b30" } ], "repeated": 0, "id": 18008 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18009 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ext-ms-onecore-appmodel-staterepository-cache-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc6a6a0000" } ], "repeated": 0, "id": 18010 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6a6a0000", "arguments": [ { "name": "lpLibFileName", "value": "ext-ms-onecore-appmodel-staterepository-cache-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 18011 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheManager_Open" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a1200" } ], "repeated": 0, "id": 18012 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18013 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a44" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 18014 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a44" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a3c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 18015 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18016 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_Open" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a10c0" } ], "repeated": 0, "id": 18017 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18018 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a44" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 18019 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18020 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_EnumerateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a16e0" } ], "repeated": 0, "id": 18021 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18022 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 18023 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18024 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_Close" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a1630" } ], "repeated": 0, "id": 18025 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18026 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 18027 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18028 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o__ui64tow_s" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d171a0" } ], "repeated": 0, "id": 18029 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18030 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a44" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 18031 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18032 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheContext_GetField_UInt32" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a1670" } ], "repeated": 0, "id": 18033 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18034 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 18035 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 18036 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18037 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.staterepositorycore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6a6a0000" }, { "name": "FunctionName", "value": "SRCacheManager_Close" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6a6a17d0" } ], "repeated": 0, "id": 18038 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18039 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 18040 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 18041 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18042 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o_free" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d15f10" } ], "repeated": 0, "id": 18043 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18044 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18045 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "memcpy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d48b70" } ], "repeated": 0, "id": 18046 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18047 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000a44" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 18048 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a44" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000a3c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 18049 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a44" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } ], "repeated": 0, "id": 18050 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "90" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\90" } ], "repeated": 0, "id": 18051 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 18052 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a44" }, { "name": "SubKey", "value": "Package\\Data\\90" }, { "name": "Handle", "value": "0x00000a30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90" } ], "repeated": 0, "id": 18053 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "16777224" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags" } ], "repeated": 0, "id": 18054 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a30" } ], "repeated": 0, "id": 18055 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a3c" } ], "repeated": 0, "id": 18056 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a44" } ], "repeated": 0, "id": 18057 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 18058 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18059 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18060 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o__execute_onexit_table" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d14120" } ], "repeated": 0, "id": 18061 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18062 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 18063 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 18064 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18065 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "_o___std_type_info_destroy_list" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d14140" } ], "repeated": 0, "id": 18066 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e346000" }, { "name": "ModuleName", "value": "AppxDeploymentClient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18067 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\AppxDeploymentClient" }, { "name": "DllBase", "value": "0x7ffc6e250000" } ], "repeated": 0, "id": 18068 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e250000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 18069 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } ], "repeated": 0, "id": 18070 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18071 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 18072 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 18073 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 18074 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } ], "repeated": 0, "id": 18075 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18076 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00p\\x01\\x00\\x00\\x00\\x00\\x00Pg\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18077 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } ], "repeated": 0, "id": 18078 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfd6c0" }, { "name": "ViewSize", "value": "0x00017000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18079 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18080 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18081 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri" } ], "repeated": 0, "id": 18082 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\resources.pri" } ], "repeated": 0, "id": 18083 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c909e", "parentcaller": "0x7ff6c28c9847", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\resources.pri" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18084 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c909e", "parentcaller": "0x7ff6c28c9847", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\resources.pri" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18085 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c909e", "parentcaller": "0x7ff6c28c9847", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\resources.pri" } ], "repeated": 0, "id": 18086 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c909e", "parentcaller": "0x7ff6c28c9847", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "SectionOffset", "value": "0xf09ddfd540" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18087 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c909e", "parentcaller": "0x7ff6c28c9847", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18088 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28c909e", "parentcaller": "0x7ff6c28c9847", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18089 }, { "timestamp": "2026-05-28 22:01:58,850", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00017000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 18090 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28dcbb5", "parentcaller": "0x7ff6c28c996f", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255720000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 18091 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } ], "repeated": 0, "id": 18092 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18093 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } ], "repeated": 0, "id": 18094 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfd970" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18095 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18096 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 18097 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18098 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18099 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } ], "repeated": 0, "id": 18100 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18101 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } ], "repeated": 0, "id": 18102 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "SectionOffset", "value": "0xf09ddfd970" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18103 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18104 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 18105 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18106 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba46d", "parentcaller": "0x7ff6c28ba33d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18107 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 18108 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18109 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "18", "pretty_value": "FileAllInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 18110 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 3, "id": 18111 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "16" } ], "repeated": 0, "id": 18112 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 17, "id": 18113 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18114 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 18115 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "Buffer", "value": "\\x89PNG\r\n\\x1a\n" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 18116 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 18117 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\rIHDR" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 18118 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 18119 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00,\\x00\\x00\\x00,\\x08\\x06\\x00\\x00\\x00\\x1e\\x84Z\\x01" }, { "name": "Length", "value": "17" } ], "repeated": 0, "id": 18120 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 18121 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\xd2IDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 18122 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 18123 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\xd2IDAT" }, { "name": "Length", "value": "8" } ], "repeated": 0, "id": 18124 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "!\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 2, "id": 18125 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28ba143", "parentcaller": "0x7ff6c28ba006", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "HandleName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\xd2IDATX\\xc3\\xed\\xd8\\xc1\t\\xc2@\\x10\\x85\\xe1)!%\\x04+I\t)aK\\xb0\\x03-\\xc1\\x12\\\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07>\\\\xf4}\\x00\\x00\\x00\\x00R^\\xf5}\\x00\\x00(\\x02S^\\xf5}\\x00\\x00P\\x06T^\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00-\\xbf\\x9c\\x02\\x00\\x00" } ], "repeated": 0, "id": 18167 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0x29cbee032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "F\\x07\\x00\\x00F\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90>\\xe0\\xbe\\x9c\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\x189\\xe0\\xbe\\x9c\\x02\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00d9\\xe0\\xbe\\x9c\\x02\\x00\\x00\\xf0'\\xe0\\xbe\\x9c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00\\xc69\\xe0\\xbe\\x9c\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x12:\\xe0\\xbe\\x9c\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x14:\\xe0\\xbe\\x9c\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18168 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "BaseAddress", "value": "0x29cbee03964" }, { "name": "Size", "value": "0x00000060" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00R\\x00u\\x00n\\x00t\\x00i\\x00m\\x00e\\x00B\\x00r\\x00o\\x00k\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 18169 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18170 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7444" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" } ], "repeated": 0, "id": 18171 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a90" } ], "repeated": 0, "id": 18172 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18173 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00pq\\x9aT\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xe8q\\x9aT\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08r\\x9aT\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x008s\\x9aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ps\\x9aT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xs\\x9aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xs\\x9aT\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00p\\x00p\\x00\\x00\\x00\\x00\\x008r\\x9aT\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00\\xa8r\\x9aT\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00\\xf0r\\x9aT\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00S\\x00t\\x00o\\x00" } ], "repeated": 0, "id": 18174 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18175 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18176 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18177 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18178 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18179 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a94" } ], "repeated": 0, "id": 18180 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18181 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xe1\\x99T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88\\xe1\\x99T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe1\\x99T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18182 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18183 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18184 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18185 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18186 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18187 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18188 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18189 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a94" } ], "repeated": 0, "id": 18190 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18191 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18192 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18193 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18194 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18195 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18196 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a94" } ], "repeated": 0, "id": 18197 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x00b\\x009\\x00c\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 18198 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04b9c8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18199 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18200 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18201 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18202 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18203 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18204 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18205 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc8\\xb9\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18206 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18207 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18208 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18209 }, { "timestamp": "2026-05-28 22:01:58,865", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18210 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18211 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ff6c28b0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Taskmgr.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 1, "id": 18212 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18213 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18214 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18215 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "BaseAddress", "value": "0xf09d85c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x8b\\xc2\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xb0\\x1b\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04N\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\xfdZ\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xfdZ\\xf4}\\x00\\x00\\x00\\x00\\x11]\\xf5}\\x00\\x00(\\x02\\x12]\\xf5}\\x00\\x00P\\x06\\x13]\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00ON\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 18216 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "BaseAddress", "value": "0x2924e1f1bb0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "4\\x07\\x00\\x004\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00@'\\x1fN\\x92\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xf8!\\x1fN\\x92\\x02\\x00\\x00H\\x00J\\x00\\x00\\x00\\x00\\x008\"\\x1fN\\x92\\x02\\x00\\x00\\xe0\\x0f\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x82\"\\x1fN\\x92\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xc2\"\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe2\"\\x1fN\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18217 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "BaseAddress", "value": "0x2924e1f2238" }, { "name": "Size", "value": "0x00000048" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00t\\x00a\\x00s\\x00k\\x00m\\x00g\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00/\\x004\\x00" } ], "repeated": 0, "id": 18218 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18219 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18220 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a94" } ], "repeated": 0, "id": 18221 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18222 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xe1\\x99T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88\\xe1\\x99T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe1\\x99T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18223 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18224 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18225 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2904" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net.exe" } ], "repeated": 0, "id": 18226 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18227 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2904" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net.exe" } ], "repeated": 0, "id": 18228 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18229 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2904" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net.exe" } ], "repeated": 0, "id": 18230 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18231 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18232 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a94" } ], "repeated": 0, "id": 18233 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9c\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18234 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18235 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18236 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18237 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18238 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18239 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18240 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a98" } ], "repeated": 0, "id": 18241 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 18242 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18243 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18244 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18245 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18246 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\net.exe" } ], "repeated": 1, "id": 18247 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\net.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18248 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\net.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18249 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001e000" } ], "repeated": 0, "id": 18250 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 18251 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18252 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 18253 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18254 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a94" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 18255 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a50" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18256 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18257 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18258 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 18259 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a98" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18260 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18261 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18262 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 18263 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18264 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 18265 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 18266 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 18267 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18268 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 18269 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18270 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 18271 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\net.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18272 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001e000" } ], "repeated": 0, "id": 18273 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\net.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18274 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001e000" } ], "repeated": 0, "id": 18275 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2904" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net.exe" } ], "repeated": 0, "id": 18276 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18277 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2904" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net.exe" } ], "repeated": 0, "id": 18278 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x7a1d6ce000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00$\\xec\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p\\x1c\\xf0w\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0w\\xfe\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0w\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x11\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x07\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x1a\\x07\\xf4}\\x00\\x00\\x00\\x00.\t\\xf5}\\x00\\x00(\\x02/\t\\xf5}\\x00\\x00P\\x060\t\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18279 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x1fe77f01c70" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xfe\\x06\\x00\\x00\\xfe\\x06\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xd0'\\xf0w\\xfe\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x00\\x00\\x00\\x00\\xb8\"\\xf0w\\xfe\\x01\\x00\\x00\"\\x00$\\x00\\x00\\x00\\x00\\x00\\xf0\"\\xf0w\\xfe\\x01\\x00\\x00\\xe0\\x0f\\xf0w\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\x008\\x00\\x00\\x00\\x00\\x00\\x14#\\xf0w\\xfe\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00L#\\xf0w\\xfe\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00l#\\xf0w\\xfe\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18280 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x1fe77f022f0" }, { "name": "Size", "value": "0x00000022" }, { "name": "Buffer", "value": "n\\x00e\\x00t\\x00 \\x00s\\x00t\\x00a\\x00r\\x00t\\x00 \\x00w\\x00i\\x00n\\x00m\\x00g\\x00m\\x00t\\x00" } ], "repeated": 0, "id": 18281 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18282 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2904" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net.exe" } ], "repeated": 0, "id": 18283 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 18284 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18285 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xe1\\x99T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88\\xe1\\x99T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe1\\x99T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x8d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe9\\xed\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18286 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18287 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18288 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1016" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net1.exe" } ], "repeated": 0, "id": 18289 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18290 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1016" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net1.exe" } ], "repeated": 0, "id": 18291 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18292 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1016" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net1.exe" } ], "repeated": 0, "id": 18293 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18294 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18295 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a50" } ], "repeated": 0, "id": 18296 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18297 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18298 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18299 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18300 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18301 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18302 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18303 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a94" } ], "repeated": 0, "id": 18304 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 18305 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18306 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18307 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18308 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18309 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\net1.exe" } ], "repeated": 1, "id": 18310 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\windows\\system32\\net1.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18311 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\net1.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18312 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x0003e000" } ], "repeated": 0, "id": 18313 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 18314 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18315 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 18316 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18317 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a50" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 18318 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000007d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18319 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18320 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000007d4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18321 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000007d4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 18322 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a94" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18323 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18324 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257fa2e40", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18325 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29258016950", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257fa2e40" } ], "repeated": 0, "id": 18326 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29257f98940", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18327 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 18328 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292580164e8", "arguments": [ { "name": "Module", "value": "0x292544f0002" }, { "name": "ResourceInfo", "value": "0x29257f98940" } ], "repeated": 0, "id": 18329 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 18330 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18331 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 18332 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18333 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 18334 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "371" } ], "repeated": 0, "id": 18335 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 18336 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\net1.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18337 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x0003e000" } ], "repeated": 0, "id": 18338 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255760002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\net1.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18339 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x0003e000" } ], "repeated": 0, "id": 18340 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1016" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net1.exe" } ], "repeated": 0, "id": 18341 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18342 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1016" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net1.exe" } ], "repeated": 0, "id": 18343 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0xbd6b045000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xb8\\xba\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p\\x1c#\\xb9t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00#\\xb9t\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\xb9t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x11\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00lV\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07lV\\xf4}\\x00\\x00\\x00\\x00\\x80X\\xf5}\\x00\\x00(\\x02\\x81X\\xf5}\\x00\\x00P\\x06\\x82X\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18344 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x274b9231c70" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ",\\x07\\x00\\x00,\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00T\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00(#\\xb9t\\x02\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x00\\x00\\x00\\x00\\xb8\"#\\xb9t\\x02\\x00\\x00L\\x00N\\x00\\x00\\x00\\x00\\x00\\xf2\"#\\xb9t\\x02\\x00\\x00\\xe0\\x0f#\\xb9t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x00\\x00\\x00\\x00@##\\xb9t\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00z##\\xb9t\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x9a##\\xb9t\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18345 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x274b92322f2" }, { "name": "Size", "value": "0x0000004c" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00n\\x00e\\x00t\\x001\\x00 \\x00s\\x00t\\x00a\\x00r\\x00t\\x00 \\x00w\\x00i\\x00n\\x00m\\x00g\\x00m\\x00t\\x00" } ], "repeated": 0, "id": 18346 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18347 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1016" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\net1.exe" } ], "repeated": 0, "id": 18348 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a90" } ], "repeated": 0, "id": 18349 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18350 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xe1\\x99T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88\\xe1\\x99T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe1\\x99T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x8e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\xee\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18351 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18352 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18353 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "8196" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18354 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18355 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "8196" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18356 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18357 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "8196" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18358 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18359 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18360 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 18361 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18362 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a94" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 18363 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18364 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18365 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 18366 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18367 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 18368 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18369 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 18370 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18371 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a94" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 18372 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a90" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18373 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18374 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254500000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 18375 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18376 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 18377 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "8196" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18378 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x93d53a9000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p2 \\xebp\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\xebp\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\xebp\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xca\"\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xca\"\\xf4}\\x00\\x00\\x00\\x00\\xde$\\xf5}\\x00\\x00(\\x02\\xdf$\\xf5}\\x00\\x00P\\x06\\xe0$\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00`\\xebp\\x02\\x00\\x00" } ], "repeated": 0, "id": 18379 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x270eb203270" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "(\\x07\\x00\\x00(\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x10> \\xebp\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb88 \\xebp\\x02\\x00\\x00Z\\x00\\\\x00\\x00\\x00\\x00\\x00\\xf88 \\xebp\\x02\\x00\\x00\\xf0' \\xebp\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00T9 \\xebp\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x949 \\xebp\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x969 \\xebp\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18380 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "BaseAddress", "value": "0x270eb2038f8" }, { "name": "Size", "value": "0x0000005a" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00n\\x00e\\x00t\\x00s\\x00v\\x00c\\x00s\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 18381 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18382 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "8196" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18383 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a90" } ], "repeated": 0, "id": 18384 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18385 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`\\xe1\\x99T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88\\xe1\\x99T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xe1\\x99T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x8f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc5\\xef\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18386 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18387 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18388 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 18389 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18390 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18391 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18392 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18393 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18394 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 18395 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18396 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18397 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18398 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18399 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18400 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18401 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18402 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18403 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18404 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18405 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18406 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18407 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18408 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18409 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18410 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 18411 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7444" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18412 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c1397", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18413 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18414 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 18415 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18416 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 18417 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18418 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c1397", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18419 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18420 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 18421 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292544f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\RuntimeBroker.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18422 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c28c9a14", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292544f0000" }, { "name": "RegionSize", "value": "0x0001c000" } ], "repeated": 0, "id": 18423 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7444" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18424 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a90" } ], "repeated": 0, "id": 18425 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18426 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00pq\\x9aT\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xe8q\\x9aT\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08r\\x9aT\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x008s\\x9aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ps\\x9aT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00Xs\\x9aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00xs\\x9aT\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00p\\x00p\\x00\\x00\\x00\\x00\\x008r\\x9aT\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00\\xa8r\\x9aT\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00\\xf0r\\x9aT\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00S\\x00t\\x00o\\x00" } ], "repeated": 0, "id": 18427 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18428 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18429 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 18430 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 18431 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 18432 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 18433 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 18434 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18435 }, { "timestamp": "2026-05-28 22:01:58,881", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xbf\\xacT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00 \\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 18436 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 18437 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 18438 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 18439 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5320" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18440 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000007d4" } ], "repeated": 0, "id": 18441 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18442 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00pq\\x9aT\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xe8q\\x9aT\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08r\\x9aT\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x9cs\\x9aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0s\\x9aT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8s\\x9aT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8s\\x9aT\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\xae\\x00\\xae\\x00\\x00\\x00\\x00\\x008r\\x9aT\\x92\\x02\\x00\\x00H\\x00H\\x00\\x00\\x00\\x00\\x00\\xe6r\\x9aT\\x92\\x02\\x00\\x00n\\x00n\\x00\\x00\\x00\\x00\\x00.s\\x9aT\\x92\\x02\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00" } ], "repeated": 0, "id": 18443 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000007d4" } ], "repeated": 0, "id": 18444 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18445 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 18446 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 18447 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 18448 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 18449 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 18450 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18451 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xbc\\xacT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 18452 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 3, "id": 18453 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 18454 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 18455 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 18456 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 18457 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 18458 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292549b8000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18459 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 18460 }, { "timestamp": "2026-05-28 22:01:58,896", "thread_id": "1496", "caller": "0x7ff6c292fc86", "parentcaller": "0x7ff6c292ea1e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a33000" }, { "name": "RegionSize", "value": "0x00029000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18461 }, { "timestamp": "2026-05-28 22:01:58,912", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254a5e000" }, { "name": "RegionSize", "value": "0x00051000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18462 }, { "timestamp": "2026-05-28 22:01:58,912", "thread_id": "1496", "caller": "0x7ff6c28b50a7", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DPA_DeletePtr" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e8dbc0" } ], "repeated": 0, "id": 18463 }, { "timestamp": "2026-05-28 22:01:58,912", "thread_id": "1496", "caller": "0x7ff6c292fc86", "parentcaller": "0x7ff6c292ea1e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254acd000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18464 }, { "timestamp": "2026-05-28 22:01:58,912", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ade000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18465 }, { "timestamp": "2026-05-28 22:01:58,912", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254bf1000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18466 }, { "timestamp": "2026-05-28 22:01:58,928", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c12000" }, { "name": "RegionSize", "value": "0x00013000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18467 }, { "timestamp": "2026-05-28 22:01:58,928", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c22000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18468 }, { "timestamp": "2026-05-28 22:01:58,928", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c25000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18469 }, { "timestamp": "2026-05-28 22:01:58,928", "thread_id": "1496", "caller": "0x7ff6c28f2991", "parentcaller": "0x7ff6c28f3c7e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c46000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18470 }, { "timestamp": "2026-05-28 22:01:58,928", "thread_id": "1496", "caller": "0x7ff6c292fc86", "parentcaller": "0x7ff6c292ea1e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c57000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18471 }, { "timestamp": "2026-05-28 22:01:58,928", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c78000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18472 }, { "timestamp": "2026-05-28 22:01:58,943", "thread_id": "1496", "caller": "0x7ff6c28ce367", "parentcaller": "0x7ff6c28c5322", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254c99000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18473 }, { "timestamp": "2026-05-28 22:01:58,943", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254caa000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18474 }, { "timestamp": "2026-05-28 22:01:58,943", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ce7000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18475 }, { "timestamp": "2026-05-28 22:01:58,943", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ced000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18476 }, { "timestamp": "2026-05-28 22:01:58,943", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254cfe000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18477 }, { "timestamp": "2026-05-28 22:01:58,943", "thread_id": "1496", "caller": "0x7ff6c29306c5", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d1f000" }, { "name": "RegionSize", "value": "0x00013000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18478 }, { "timestamp": "2026-05-28 22:01:58,943", "thread_id": "1496", "caller": "0x7ff6c29306c5", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d29000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18479 }, { "timestamp": "2026-05-28 22:01:58,959", "thread_id": "1496", "caller": "0x7ff6c29155ca", "parentcaller": "0x7ff6c2915b99", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d32000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18480 }, { "timestamp": "2026-05-28 22:01:58,959", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d3b000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18481 }, { "timestamp": "2026-05-28 22:01:58,959", "thread_id": "1496", "caller": "0x7ff6c2930759", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d5c000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18482 }, { "timestamp": "2026-05-28 22:01:58,959", "thread_id": "1496", "caller": "0x7ff6c293053a", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d7d000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18483 }, { "timestamp": "2026-05-28 22:01:58,975", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254d86000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18484 }, { "timestamp": "2026-05-28 22:01:58,975", "thread_id": "1496", "caller": "0x7ff6c29306c5", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254da7000" }, { "name": "RegionSize", "value": "0x00013000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18485 }, { "timestamp": "2026-05-28 22:01:58,975", "thread_id": "1496", "caller": "0x7ff6c29306c5", "parentcaller": "0x7ff6c292ed2c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254db5000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18486 }, { "timestamp": "2026-05-28 22:01:58,975", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254dba000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18487 }, { "timestamp": "2026-05-28 22:01:58,975", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254dcb000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18488 }, { "timestamp": "2026-05-28 22:01:58,975", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254dec000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18489 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c28cd485", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254dfd000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18490 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c28cd485", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e39000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18491 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c28f2991", "parentcaller": "0x7ff6c28cc905", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2924e034000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18492 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c28cd55c", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e40000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18493 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e49000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18494 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c2931bb1", "parentcaller": "0x7ff6c293307d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e4e000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18495 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e53000" }, { "name": "RegionSize", "value": "0x00013000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18496 }, { "timestamp": "2026-05-28 22:01:58,990", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e60000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18497 }, { "timestamp": "2026-05-28 22:01:59,006", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c28d30dd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e66000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18498 }, { "timestamp": "2026-05-28 22:01:59,006", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c28d30dd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e77000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18499 }, { "timestamp": "2026-05-28 22:01:59,021", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c28d30dd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e82000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18500 }, { "timestamp": "2026-05-28 22:01:59,021", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c28d30dd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ea3000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18501 }, { "timestamp": "2026-05-28 22:01:59,162", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 18502 }, { "timestamp": "2026-05-28 22:01:59,162", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 18503 }, { "timestamp": "2026-05-28 22:01:59,256", "thread_id": "1496", "caller": "0x7ff6c28d612b", "parentcaller": "0x7ff6c28d6022", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00020006", "pretty_value": "KEY_WRITE" }, { "name": "Handle", "value": "0x00000a50" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 18504 }, { "timestamp": "2026-05-28 22:01:59,256", "thread_id": "1496", "caller": "0x7ff6c28d6056", "parentcaller": "0x7ff6c28d4ed6", "category": "registry", "api": "RegSetValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" }, { "name": "ValueName", "value": "Preferences" }, { "name": "Type", "value": "3", "pretty_value": "REG_BINARY" }, { "name": "Buffer", "value": "\r\\x00\\x00\\x00`\\x00\\x00\\x00`\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\xfd\\x01\\x00\\x00\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x80\\xd8\\x01\\x00\\x80\\xdf\\x01\\x00\\x80\\x00\\x01\\x00\\x01\\xc1\\x01\\x00\\x00,\\x01\\x00\\x00i\\x04\\x00\\x00\\x84\\x03\\x00\\x00\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x89\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x00\\x00\\x00\\x01\\x01P\\x02\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8b\\x90\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x10\\x01\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffx\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8c\\x90\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x12\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8d\\x90\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff2\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8a\\x90\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08 \\x01\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xc8\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8e\\x90\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xab\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x04\\x01\\x00\\x00\\x1e\\x00\\x00\\x00\\x8f\\x90\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xab\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffI\\x00\\x00\\x00" }, { "name": "BufferLength", "value": "4840" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences" } ], "repeated": 0, "id": 18505 }, { "timestamp": "2026-05-28 22:01:59,256", "thread_id": "1496", "caller": "0x7ff6c28d6076", "parentcaller": "0x7ff6c28d4ed6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18506 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "~\\x88@L\\x00\\x00\\x00\\x00\\xe2,L\\xaa@\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 18507 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x83\\xc4\\xd6\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x87f\\x9a\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x87f\\x9a\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xb0\\xa7$h\\x12\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x86DG\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x02Uy\\x7f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18508 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 18509 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 18510 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 18511 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 18512 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18513 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18514 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18515 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18516 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a50" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18517 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a50" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x005\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00WA\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00RA\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00 \\x9a:\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x97YD\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00A\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18518 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a50" } ], "repeated": 0, "id": 18519 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xe0\\xdf]\\x00\\x00\\x00\\x00\\x00xN\\x08\\x00\\x00\\x00\\x00\\x80\\\\xb9\\x0f\\x00\\x00\\x00\\x00\\x90\\xdcv\\x10\\x00\\x00\\x00\\x00H\\x8e\\xac\\x19\\x00\\x00\\x00\\x00\\xd2d\\x00\\x00\\xd5\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x03\\x00\\x00\\x04\\xf1;\\x9b\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18520 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 18521 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 18522 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 18523 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 18524 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "0Z\\xfeL\\x00\\x00\\x00\\x00\\x1a\\xfb&\\xab@\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 18525 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 18526 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xc8A\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x12\\x00\\x00 \\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 18527 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254eae000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18528 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00j\\xc0a\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00*\\xa2F\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xef\\xcc\\xda\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xdap\\x9a\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00h\\xb6:\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x86Z}\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xefp\\x9a\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 18529 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ecf000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18530 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xaa\\xc5\\x88\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00~,\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18531 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 18532 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a94" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18533 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 1, "id": 18534 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 18535 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18536 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18537 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18538 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18539 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18540 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 18541 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28ed2ee", "parentcaller": "0x7ff6c28c2c51", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18542 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28ed2ee", "parentcaller": "0x7ff6c28c2c51", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18543 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18544 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18545 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18546 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18547 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18548 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18549 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18550 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18551 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18552 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18553 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18554 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18555 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18556 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18557 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18558 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 18559 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 18560 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 18561 }, { "timestamp": "2026-05-28 22:01:59,334", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 18562 }, { "timestamp": "2026-05-28 22:01:59,350", "thread_id": "1496", "caller": "0x7ff6c293006e", "parentcaller": "0x7ff6c292ea1e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ef0000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18563 }, { "timestamp": "2026-05-28 22:01:59,350", "thread_id": "1496", "caller": "0x7ff6c293006e", "parentcaller": "0x7ff6c292ea1e", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f01000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18564 }, { "timestamp": "2026-05-28 22:01:59,350", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 18565 }, { "timestamp": "2026-05-28 22:01:59,350", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f33000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18566 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f54000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18567 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f8b000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18568 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f97000" }, { "name": "RegionSize", "value": "0x00013000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18569 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f9d000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18570 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28f2991", "parentcaller": "0x7ff6c28f3c7e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254faa000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18571 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254fcb000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18572 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28da46e", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255001000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18573 }, { "timestamp": "2026-05-28 22:01:59,365", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925500e000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18574 }, { "timestamp": "2026-05-28 22:01:59,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 18575 }, { "timestamp": "2026-05-28 22:01:59,818", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 18576 }, { "timestamp": "2026-05-28 22:01:59,818", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 18577 }, { "timestamp": "2026-05-28 22:01:59,818", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" }, { "name": "Handle", "value": "0x00000a94" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" } ], "repeated": 0, "id": 18578 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a94" }, { "name": "ValueName", "value": "Segoe UI" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI" } ], "repeated": 0, "id": 18579 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a94" } ], "repeated": 0, "id": 18580 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925502f000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18581 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255041000" }, { "name": "RegionSize", "value": "0x00024000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18582 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255065000" }, { "name": "RegionSize", "value": "0x00047000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18583 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550ac000" }, { "name": "RegionSize", "value": "0x0008d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18584 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00122000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18585 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18586 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255881000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18587 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255025000" }, { "name": "RegionSize", "value": "0x003ca000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18588 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255890000" }, { "name": "RegionSize", "value": "0x00240000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18589 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255890000" }, { "name": "RegionSize", "value": "0x0000e000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18590 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255acf000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18591 }, { "timestamp": "2026-05-28 22:01:59,834", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00122000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 18592 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c290f5a9", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255890000" }, { "name": "RegionSize", "value": "0x00240000" }, { "name": "FreeType", "value": "0x00008000" } ], "repeated": 0, "id": 18593 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255001000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18594 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254fc1000" }, { "name": "RegionSize", "value": "0x00040000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18595 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f03000" }, { "name": "RegionSize", "value": "0x0001e000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18596 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ea1000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18597 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925430c000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18598 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546fa000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18599 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542b5000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18600 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254739000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18601 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254322000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18602 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925432b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18603 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542eb000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18604 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542f3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18605 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254349000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18606 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542e5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18607 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254339000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18608 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e45000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18609 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254aae000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18610 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e7f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 18611 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918812", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f8b000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18612 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c2918872", "parentcaller": "0x7ff6c2918908", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542b5000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18613 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 18614 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "CHARTV.dll" } ], "repeated": 0, "id": 18615 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\chartv.dll" } ], "repeated": 0, "id": 18616 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\chartv.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18617 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\System32\\chartv.dll" } ], "repeated": 0, "id": 18618 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a38" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c20000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00025000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18619 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c41000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18620 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c38000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18621 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c38000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18622 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c38000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18623 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c38000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18624 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c38000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18625 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000008", "pretty_value": "KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots" } ], "repeated": 0, "id": 18626 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a44" }, { "name": "DesiredAccess", "value": "0x00100020", "pretty_value": "FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 18627 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 18628 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18629 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus.dll" } ], "repeated": 0, "id": 18630 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a90" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18631 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a38" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a90" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus.dll" } ], "repeated": 0, "id": 18632 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a38" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50d30000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x001a5000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18633 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50ec0000" }, { "name": "ModuleName", "value": "gdiplus.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18634 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50e80000" }, { "name": "ModuleName", "value": "gdiplus.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18635 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50e80000" }, { "name": "ModuleName", "value": "gdiplus.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18636 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50e80000" }, { "name": "ModuleName", "value": "gdiplus.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18637 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50e80000" }, { "name": "ModuleName", "value": "gdiplus.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18638 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50e7f000" }, { "name": "ModuleName", "value": "gdiplus.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18639 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a38" } ], "repeated": 0, "id": 18640 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a90" } ], "repeated": 0, "id": 18641 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c38000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18642 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc50e7f000" }, { "name": "ModuleName", "value": "gdiplus.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18643 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\gdiplus" }, { "name": "DllBase", "value": "0x7ffc50d30000" } ], "repeated": 0, "id": 18644 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\CHARTV" }, { "name": "DllBase", "value": "0x7ffc63c20000" } ], "repeated": 0, "id": 18645 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus" }, { "name": "BaseAddress", "value": "0x7ffc50d30000" }, { "name": "InitRoutine", "value": "0x7ffc50d87c20" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 18646 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\chartv" }, { "name": "BaseAddress", "value": "0x7ffc63c20000" }, { "name": "InitRoutine", "value": "0x7ffc63c353e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 18647 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18648 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c28dd762", "parentcaller": "0x7ff6c28e2606", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff6c29dc000" }, { "name": "ModuleName", "value": "taskmgr.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18649 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "misc", "api": "HeapCreate", "status": true, "return": "0x29255920000", "arguments": [ { "name": "Options", "value": "0" }, { "name": "InitialSize", "value": "0x00000000" }, { "name": "MaximumSize", "value": "0x00000000" } ], "repeated": 0, "id": 18650 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 18651 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 18652 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetWindowInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762b05c0" } ], "repeated": 0, "id": 18653 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetAncestor" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d3ef0" } ], "repeated": 0, "id": 18654 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "GetMonitorInfoA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762cdca0" } ], "repeated": 0, "id": 18655 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "EnumDisplayMonitors" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762d3e90" } ], "repeated": 0, "id": 18656 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "EnumDisplayDevicesA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762a8c30" } ], "repeated": 0, "id": 18657 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "misc", "api": "GetSystemMetrics", "status": true, "return": "0x00000780", "arguments": [ { "name": "SystemMetricIndex", "value": "78" } ], "repeated": 0, "id": 18658 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "misc", "api": "GetSystemMetrics", "status": true, "return": "0x00000438", "arguments": [ { "name": "SystemMetricIndex", "value": "79" } ], "repeated": 0, "id": 18659 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "gdi32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 18660 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "ExtTextOutW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed36d0" } ], "repeated": 0, "id": 18661 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77ed0000" }, { "name": "FunctionName", "value": "GdiIsMetaPrintDC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77ed9d60" } ], "repeated": 0, "id": 18662 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus.dll" }, { "name": "BaseAddress", "value": "0x7ffc50d30000" } ], "repeated": 0, "id": 18663 }, { "timestamp": "2026-05-28 22:01:59,850", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc50d30000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\gdiplus.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 18664 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000a3c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc50d39020" }, { "name": "Parameter", "value": "0x29255921ef0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "9180" }, { "name": "ProcessId", "value": "7912" }, { "name": "Module", "value": "gdiplus.dll" } ], "repeated": 0, "id": 18665 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292873e", "parentcaller": "0x7ff6c29277c4", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000a3c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc50d39020" }, { "name": "Parameter", "value": "0x29255921ef0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "9180" }, { "name": "ProcessId", "value": "7912" } ], "repeated": 0, "id": 18666 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29600c3", "parentcaller": "0x7ff6c295f7e3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 18667 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29600c3", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 18668 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29600c3", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" } ], "repeated": 0, "id": 18669 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29600c3", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" }, { "name": "ValueName", "value": "ExistingPageFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\ExistingPageFiles" } ], "repeated": 0, "id": 18670 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29600c3", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18671 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29601c5", "parentcaller": "0x7ff6c295f7e3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 18672 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29601c5", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 18673 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29601c5", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a98" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" } ], "repeated": 0, "id": 18674 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29601c5", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" }, { "name": "ValueName", "value": "ExistingPageFiles" }, { "name": "Data", "value": "\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\ExistingPageFiles" } ], "repeated": 0, "id": 18675 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29601c5", "parentcaller": "0x7ff6c295f7e3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18676 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29600c3", "parentcaller": "0x7ff6c295f874", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 18677 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29601c5", "parentcaller": "0x7ff6c295f874", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" }, { "name": "ValueName", "value": "PagingFiles" }, { "name": "Data", "value": "\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\PagingFiles" } ], "repeated": 0, "id": 18678 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29601c5", "parentcaller": "0x7ff6c295f874", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a98" } ], "repeated": 0, "id": 18679 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 18680 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc50d39020" }, { "name": "Parameter", "value": "0x29255921ef0" } ], "repeated": 0, "id": 18681 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255922000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18682 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18683 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 18684 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31213" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18685 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "IMAGE" }, { "name": "Name", "value": "#31213" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18686 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc762c1eb0", "parentcaller": "0x7ffc762c1e53", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ffc50d30000" }, { "name": "Type", "value": "#4" }, { "name": "Name", "value": "GDI+ Hook Window" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18687 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1878", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNG" }, { "name": "Name", "value": "#31213" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18688 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f461e0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1878" } ], "repeated": 0, "id": 18689 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001d2", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1878" } ], "repeated": 0, "id": 18690 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18691 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18692 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc78006798", "parentcaller": "0x7ffc7572ad43", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18693 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7572ad43", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18694 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18695 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18696 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18697 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292683e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18698 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc50d3958e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a88" } ], "repeated": 0, "id": 18699 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc50d395ba", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "26" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18700 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "9180", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc50d395d6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18701 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292686e", "parentcaller": "0x7ff6c2926498", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 18702 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18703 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 18704 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31214" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18705 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "IMAGE" }, { "name": "Name", "value": "#31214" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18706 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNGFILE" }, { "name": "Name", "value": "#31214" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18707 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1888", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNG" }, { "name": "Name", "value": "#31214" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18708 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f463b8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1888" } ], "repeated": 0, "id": 18709 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001cb", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1888" } ], "repeated": 0, "id": 18710 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18711 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dba", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18712 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2926dea", "parentcaller": "0x7ff6c29264ba", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 18713 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c58", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2116" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18714 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba628", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c58" } ], "repeated": 0, "id": 18715 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31215" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18716 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "IMAGE" }, { "name": "Name", "value": "#31215" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18717 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNGFILE" }, { "name": "Name", "value": "#31215" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18718 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef1898", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNG" }, { "name": "Name", "value": "#31215" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18719 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f46588", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1898" } ], "repeated": 0, "id": 18720 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001d0", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef1898" } ], "repeated": 0, "id": 18721 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18722 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18723 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2154" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18724 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb010", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d28" } ], "repeated": 0, "id": 18725 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d28", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2154" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18726 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb010", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d28" } ], "repeated": 0, "id": 18727 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e7e5", "parentcaller": "0x7ff6c2926bd1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254fc1000" }, { "name": "RegionSize", "value": "0x00040000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18728 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c295e9db", "parentcaller": "0x7ff6c2926bd1", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 18729 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c68", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2117" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18730 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba6a8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c68" } ], "repeated": 0, "id": 18731 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31220" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18732 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "IMAGE" }, { "name": "Name", "value": "#31220" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18733 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNGFILE" }, { "name": "Name", "value": "#31220" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18734 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef18c8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNG" }, { "name": "Name", "value": "#31220" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18735 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f46c80", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef18c8" } ], "repeated": 0, "id": 18736 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000000b3", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef18c8" } ], "repeated": 0, "id": 18737 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18738 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18739 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18740 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31216" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18741 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "IMAGE" }, { "name": "Name", "value": "#31216" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18742 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNGFILE" }, { "name": "Name", "value": "#31216" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18743 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef18a8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNG" }, { "name": "Name", "value": "#31216" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18744 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f46758", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef18a8" } ], "repeated": 0, "id": 18745 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000001ba", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef18a8" } ], "repeated": 0, "id": 18746 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18747 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18748 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#2" }, { "name": "Name", "value": "#31221" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18749 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "IMAGE" }, { "name": "Name", "value": "#31221" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18750 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNGFILE" }, { "name": "Name", "value": "#31221" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18751 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29252ef18d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "PNG" }, { "name": "Name", "value": "#31221" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18752 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x29252f46af0", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef18d8" } ], "repeated": 0, "id": 18753 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x0000018f", "arguments": [ { "name": "ModuleHandle", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x29252ef18d8" } ], "repeated": 0, "id": 18754 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18755 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18756 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d78", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2161" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18757 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb5d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d78" } ], "repeated": 0, "id": 18758 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d78", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2161" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18759 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb5d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d78" } ], "repeated": 0, "id": 18760 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d78", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2161" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18761 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963413", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb5d8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d78" } ], "repeated": 0, "id": 18762 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2963720", "parentcaller": "0x7ff6c29270c6", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 18763 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292c3ac", "parentcaller": "0x7ff6c292d307", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18764 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ca8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2141" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18765 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba7b4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ca8" } ], "repeated": 0, "id": 18766 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ca8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2141" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18767 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba7b4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ca8" } ], "repeated": 0, "id": 18768 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18769 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18770 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ca8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2141" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18771 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba7b4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ca8" } ], "repeated": 0, "id": 18772 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ca8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2141" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18773 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba7b4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ca8" } ], "repeated": 0, "id": 18774 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1ca8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2141" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18775 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba7b4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1ca8" } ], "repeated": 0, "id": 18776 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18777 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18778 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18779 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18780 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18781 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18782 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18783 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18784 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18785 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18786 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cb8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2142" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18787 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927220", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba870", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cb8" } ], "repeated": 0, "id": 18788 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18789 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18790 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2143" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18791 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba98c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cc8" } ], "repeated": 0, "id": 18792 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2115" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18793 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba5bc", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c48" } ], "repeated": 0, "id": 18794 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d88", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2166" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18795 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb6a4", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d88" } ], "repeated": 0, "id": 18796 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1c48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2115" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18797 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba5bc", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1c48" } ], "repeated": 0, "id": 18798 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18799 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18800 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2143" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18801 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba98c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cc8" } ], "repeated": 0, "id": 18802 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1d48", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2156" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18803 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927301", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1bb234", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1d48" } ], "repeated": 0, "id": 18804 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c292c5f7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255923000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18805 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c292c5f7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255924000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18806 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c292c5f7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 18807 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c292c5f7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18808 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c292c5f7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x0000d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18809 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c292c5f7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255760000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18810 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28b4ea1", "parentcaller": "0x7ff6c292c5f7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18811 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927324", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 18812 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927324", "parentcaller": "0x7ff6c29283d4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254e7f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18813 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2927324", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 3, "id": 18814 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2143" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18815 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba98c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cc8" } ], "repeated": 0, "id": 18816 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2143" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18817 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba98c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cc8" } ], "repeated": 0, "id": 18818 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2143" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18819 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba98c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cc8" } ], "repeated": 0, "id": 18820 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254339000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18821 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1cc8", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#6" }, { "name": "Name", "value": "#2143" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 18822 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29273ee", "parentcaller": "0x7ff6c29283d4", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1ba98c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1cc8" } ], "repeated": 0, "id": 18823 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29562a3", "parentcaller": "0x7ff6c2955fbd", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 18824 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29562a3", "parentcaller": "0x7ff6c2955fbd", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 18825 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29562a3", "parentcaller": "0x7ff6c2955fbd", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0" } ], "repeated": 0, "id": 18826 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29562a3", "parentcaller": "0x7ff6c2955fbd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" }, { "name": "ValueName", "value": "ProcessorNameString" }, { "name": "Data", "value": "Intel Core Processor (Skylake, IBRS)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString" } ], "repeated": 0, "id": 18827 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c29562a3", "parentcaller": "0x7ff6c2955fbd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18828 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292d69c", "parentcaller": "0x7ff6c2956aa7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254aae000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18829 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292c339", "parentcaller": "0x7ff6c292d29c", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18830 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2928aff", "parentcaller": "0x7ff6c29277c4", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 18831 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28f5c6a", "parentcaller": "0x7ff6c28d341d", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76df50" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 18832 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28f5c6a", "parentcaller": "0x7ff6c28d341d", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 18833 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c28f5c6a", "parentcaller": "0x7ff6c28d341d", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000104e" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 18834 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 18835 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292dc59", "parentcaller": "0x7ff6c292ca58", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c41000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18836 }, { "timestamp": "2026-05-28 22:01:59,865", "thread_id": "1496", "caller": "0x7ff6c292dc59", "parentcaller": "0x7ff6c292ca58", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc63c41000" }, { "name": "ModuleName", "value": "CHARTV.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18837 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 7, "id": 18838 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 18839 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000f03ec" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 18840 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 18841 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255790000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18842 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255790000" }, { "name": "RegionSize", "value": "0x00012000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18843 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255926000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18844 }, { "timestamp": "2026-05-28 22:01:59,881", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255927000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18845 }, { "timestamp": "2026-05-28 22:01:59,896", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255928000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18846 }, { "timestamp": "2026-05-28 22:01:59,912", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 18847 }, { "timestamp": "2026-05-28 22:01:59,912", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 18848 }, { "timestamp": "2026-05-28 22:01:59,912", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76f620" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 18849 }, { "timestamp": "2026-05-28 22:01:59,912", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 18850 }, { "timestamp": "2026-05-28 22:01:59,912", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 18851 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9f\\xbc\\x88\\x80\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00d\\x16\\xa4\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00d\\x16\\xa4\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00?\\x99\\xc4\\x81\\x12\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00 \\x0cI\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00l\\xeb\\xdd\\x7f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18852 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 18853 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 18854 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 18855 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 18856 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18857 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18858 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18859 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18860 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 18861 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "Hz\\x01N\\x00\\x00\\x00\\x00\\x1eX\\x1f\\x8aA\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 18862 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 18863 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a88" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00N\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00oA\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00jA\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe8N;\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x18aD\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00B\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18864 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18865 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00j\\xc0a\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00*\\xa2F\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xaa\\xbc\\x8b\\x80\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x12\\x1e\\xa4\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00h\\xb6:\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00Y\\xda\\xe0\\x7f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00(\\x1e\\xa4\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 18866 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00^\\xe3]\\x00\\x00\\x00\\x00\\x00\\xc8`\\x08\\x00\\x00\\x00\\x00@\\x1b\\xba\\x0f\\x00\\x00\\x00\\x00\\xcb~\\x8e\\x10\\x00\\x00\\x00\\x00\\x19g5\\x1a\\x00\\x00\\x00\\x00\\xe5d\\x00\\x00\\xe3\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x03\\x00\\x00\\xe4\\xf3\\xd6\\x9b\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18867 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 18868 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 18869 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 18870 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18871 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 18872 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18873 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ff6c28c45b1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 18874 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18875 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xc8A\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x12\\x00\\x00 \\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 18876 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "140720308492200" } ], "repeated": 0, "id": 18877 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "6056" } ], "repeated": 0, "id": 18878 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "140720308492200" } ], "repeated": 0, "id": 18879 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c291c755", "parentcaller": "0x7ff6c28edda1", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "88" } ], "repeated": 0, "id": 18880 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "FILE_READ_ACCESS" }, { "name": "ObjectAttributes", "value": "C:\\??" } ], "repeated": 0, "id": 18881 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18882 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18883 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 18884 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18885 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18886 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9e\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18887 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18888 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18889 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18890 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18891 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18892 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18893 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x00a\\x006\\x000\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 18894 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04a608" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18895 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18896 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18897 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18898 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 18899 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18900 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18901 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a84" } ], "repeated": 0, "id": 18902 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x08\\xa6\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18903 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18904 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18905 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18906 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18907 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18908 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292558c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files\\WindowsApps\\PythonSoftwareFoundation.PythonManager_26.2.240.0_x64__3847v3x7pw1km\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18909 }, { "timestamp": "2026-05-28 22:02:00,350", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292558c0000" }, { "name": "RegionSize", "value": "0x00050000" } ], "repeated": 0, "id": 18910 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292558c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files\\WindowsApps\\PythonSoftwareFoundation.PythonManager_26.2.240.0_x64__3847v3x7pw1km\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18911 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292558c0000" }, { "name": "RegionSize", "value": "0x00050000" } ], "repeated": 0, "id": 18912 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0xf000000400", "pretty_value": "PROCESS_QUERY_INFORMATION|0xf000000000" }, { "name": "ProcessIdentifier", "value": "140720308492200" } ], "repeated": 0, "id": 18913 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0xf000001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION|0xf000000000" }, { "name": "ProcessIdentifier", "value": "6056" } ], "repeated": 0, "id": 18914 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "140720308492200" } ], "repeated": 0, "id": 18915 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "140720308491116" } ], "repeated": 0, "id": 18916 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "1030792156012" } ], "repeated": 0, "id": 18917 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "140720308491116" } ], "repeated": 0, "id": 18918 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c755", "parentcaller": "0x7ff6c28edda1", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "88" } ], "repeated": 0, "id": 18919 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "FILE_READ_ACCESS" }, { "name": "ObjectAttributes", "value": "C:\\??" } ], "repeated": 0, "id": 18920 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18921 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18922 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292558a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18923 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292558a0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 18924 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292558b0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18925 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292558b0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 18926 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0xf000000400", "pretty_value": "PROCESS_QUERY_INFORMATION|0xf000000000" }, { "name": "ProcessIdentifier", "value": "140720308491116" } ], "repeated": 0, "id": 18927 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0xf000001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION|0xf000000000" }, { "name": "ProcessIdentifier", "value": "4972" } ], "repeated": 0, "id": 18928 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "140720308491116" } ], "repeated": 0, "id": 18929 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "140720308488672" } ], "repeated": 0, "id": 18930 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "1030792153568" } ], "repeated": 0, "id": 18931 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "140720308488672" } ], "repeated": 0, "id": 18932 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c755", "parentcaller": "0x7ff6c28edda1", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "88" } ], "repeated": 0, "id": 18933 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "FILE_READ_ACCESS" }, { "name": "ObjectAttributes", "value": "C:\\??" } ], "repeated": 0, "id": 18934 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18935 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c291c291", "parentcaller": "0x7ff6c291c79c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18936 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292558c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18937 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292558c0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 18938 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292558b0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18939 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292558b0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 18940 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0xf000000400", "pretty_value": "PROCESS_QUERY_INFORMATION|0xf000000000" }, { "name": "ProcessIdentifier", "value": "140720308488672" } ], "repeated": 0, "id": 18941 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0xf000001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION|0xf000000000" }, { "name": "ProcessIdentifier", "value": "2528" } ], "repeated": 0, "id": 18942 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x7ffc00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION|0x7ffc00000000" }, { "name": "ProcessIdentifier", "value": "140720308488672" } ], "repeated": 0, "id": 18943 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255761000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18944 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9188" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 18945 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18946 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9188" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 18947 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18948 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9188" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 18949 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18950 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18951 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18952 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9f\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18953 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18954 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18955 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18956 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18957 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18958 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18959 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x007\\x00e\\x008\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 18960 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!047e88" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18961 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18962 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18963 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18964 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18965 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 18966 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18967 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x88~\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18968 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 18969 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 18970 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 18971 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18972 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18973 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18974 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 18975 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 18976 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 18977 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9188" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 18978 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18979 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9188" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 18980 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "BaseAddress", "value": "0xc818b26000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x99\\xfb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00f\\x99\\xfb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\xf0\\xf5}\\x00\\x00(\\x02\\xce\\xf0\\xf5}\\x00\\x00P\\x06\\xcf\\xf0\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18981 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "BaseAddress", "value": "0x1fb99640000" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x10\\x08\\x00\\x00\\x10\\x08\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00D\\x00\\x08\\x02\\x00\\x00\\x00\\x00@\\x04d\\x99\\xfb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00H\\x06d\\x99\\xfb\\x01\\x00\\x00\\xb0\\x00\\xb2\\x00\\x00\\x00\\x00\\x00\\xc2\\x06d\\x99\\xfb\\x01\\x00\\x00\\x10\\x08d\\x99\\xfb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00t\\x07d\\x99\\xfb\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xee\\x07d\\x99\\xfb\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x0e\\x08d\\x99\\xfb\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18982 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "BaseAddress", "value": "0x1fb996406c2" }, { "name": "Size", "value": "0x000000b0" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00\"\\x00h\\x00t\\x00t\\x00p\\x00s\\x00:\\x00/\\x00/\\x00s\\x00u\\x00g\\x00a\\x00r\\x00c\\x00r\\x00a\\x00f\\x00t\\x00.\\x00n\\x00e\\x00t\\x00/\\x00\"\\x00" } ], "repeated": 0, "id": 18983 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18984 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9188" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 18985 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18986 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 18987 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90\\xf8\\xe7T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\xf8\\xe7T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf8\\xe7T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9f8\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 18988 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 18989 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 18990 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 18991 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18992 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18993 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 18994 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 18995 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 18996 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 18997 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 18998 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 18999 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19000 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19001 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19002 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19003 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19004 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19005 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19006 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19007 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19008 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19009 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19010 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19011 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19012 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 19013 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 19014 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 19015 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19016 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "371" } ], "repeated": 0, "id": 19017 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19018 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "372" } ], "repeated": 0, "id": 19019 }, { "timestamp": "2026-05-28 22:02:00,365", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19020 }, { "timestamp": "2026-05-28 22:02:00,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "375" } ], "repeated": 0, "id": 19021 }, { "timestamp": "2026-05-28 22:02:00,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "377" } ], "repeated": 0, "id": 19022 }, { "timestamp": "2026-05-28 22:02:00,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19023 }, { "timestamp": "2026-05-28 22:02:00,412", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "575" }, { "name": "y", "value": "394" } ], "repeated": 0, "id": 19024 }, { "timestamp": "2026-05-28 22:02:00,412", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19025 }, { "timestamp": "2026-05-28 22:02:00,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "413" } ], "repeated": 1, "id": 19026 }, { "timestamp": "2026-05-28 22:02:00,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19027 }, { "timestamp": "2026-05-28 22:02:00,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "415" } ], "repeated": 0, "id": 19028 }, { "timestamp": "2026-05-28 22:02:00,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19029 }, { "timestamp": "2026-05-28 22:02:00,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "417" } ], "repeated": 0, "id": 19030 }, { "timestamp": "2026-05-28 22:02:00,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19031 }, { "timestamp": "2026-05-28 22:02:00,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19032 }, { "timestamp": "2026-05-28 22:02:00,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "418" } ], "repeated": 0, "id": 19033 }, { "timestamp": "2026-05-28 22:02:00,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19034 }, { "timestamp": "2026-05-28 22:02:00,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "419" } ], "repeated": 0, "id": 19035 }, { "timestamp": "2026-05-28 22:02:00,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19036 }, { "timestamp": "2026-05-28 22:02:00,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "424" } ], "repeated": 1, "id": 19037 }, { "timestamp": "2026-05-28 22:02:00,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19038 }, { "timestamp": "2026-05-28 22:02:00,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "426" } ], "repeated": 0, "id": 19039 }, { "timestamp": "2026-05-28 22:02:00,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19040 }, { "timestamp": "2026-05-28 22:02:00,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "572" }, { "name": "y", "value": "430" } ], "repeated": 0, "id": 19041 }, { "timestamp": "2026-05-28 22:02:00,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19042 }, { "timestamp": "2026-05-28 22:02:00,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "573" }, { "name": "y", "value": "438" } ], "repeated": 0, "id": 19043 }, { "timestamp": "2026-05-28 22:02:00,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19044 }, { "timestamp": "2026-05-28 22:02:00,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "575" }, { "name": "y", "value": "442" } ], "repeated": 1, "id": 19045 }, { "timestamp": "2026-05-28 22:02:00,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19046 }, { "timestamp": "2026-05-28 22:02:00,756", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "575" }, { "name": "y", "value": "443" } ], "repeated": 0, "id": 19047 }, { "timestamp": "2026-05-28 22:02:00,756", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19048 }, { "timestamp": "2026-05-28 22:02:00,771", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "575" }, { "name": "y", "value": "444" } ], "repeated": 0, "id": 19049 }, { "timestamp": "2026-05-28 22:02:00,771", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19050 }, { "timestamp": "2026-05-28 22:02:00,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "576" }, { "name": "y", "value": "446" } ], "repeated": 0, "id": 19051 }, { "timestamp": "2026-05-28 22:02:00,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "577" }, { "name": "y", "value": "446" } ], "repeated": 0, "id": 19052 }, { "timestamp": "2026-05-28 22:02:00,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19053 }, { "timestamp": "2026-05-28 22:02:00,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "577" }, { "name": "y", "value": "447" } ], "repeated": 0, "id": 19054 }, { "timestamp": "2026-05-28 22:02:00,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19055 }, { "timestamp": "2026-05-28 22:02:00,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "577" }, { "name": "y", "value": "448" } ], "repeated": 0, "id": 19056 }, { "timestamp": "2026-05-28 22:02:00,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "451" } ], "repeated": 0, "id": 19057 }, { "timestamp": "2026-05-28 22:02:00,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19058 }, { "timestamp": "2026-05-28 22:02:00,912", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "579" }, { "name": "y", "value": "451" } ], "repeated": 0, "id": 19059 }, { "timestamp": "2026-05-28 22:02:00,912", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19060 }, { "timestamp": "2026-05-28 22:02:01,193", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "579" }, { "name": "y", "value": "450" } ], "repeated": 0, "id": 19061 }, { "timestamp": "2026-05-28 22:02:01,193", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19062 }, { "timestamp": "2026-05-28 22:02:01,193", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "579" }, { "name": "y", "value": "449" } ], "repeated": 0, "id": 19063 }, { "timestamp": "2026-05-28 22:02:01,193", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19064 }, { "timestamp": "2026-05-28 22:02:01,193", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "580" }, { "name": "y", "value": "449" } ], "repeated": 0, "id": 19065 }, { "timestamp": "2026-05-28 22:02:01,193", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19066 }, { "timestamp": "2026-05-28 22:02:01,209", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "580" }, { "name": "y", "value": "448" } ], "repeated": 0, "id": 19067 }, { "timestamp": "2026-05-28 22:02:01,209", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19068 }, { "timestamp": "2026-05-28 22:02:01,209", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "582" }, { "name": "y", "value": "448" } ], "repeated": 0, "id": 19069 }, { "timestamp": "2026-05-28 22:02:01,209", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19070 }, { "timestamp": "2026-05-28 22:02:01,209", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "582" }, { "name": "y", "value": "447" } ], "repeated": 0, "id": 19071 }, { "timestamp": "2026-05-28 22:02:01,209", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "583" }, { "name": "y", "value": "446" } ], "repeated": 0, "id": 19072 }, { "timestamp": "2026-05-28 22:02:01,209", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19073 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "583" }, { "name": "y", "value": "445" } ], "repeated": 0, "id": 19074 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19075 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "584" }, { "name": "y", "value": "444" } ], "repeated": 0, "id": 19076 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19077 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "585" }, { "name": "y", "value": "444" } ], "repeated": 0, "id": 19078 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19079 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "586" }, { "name": "y", "value": "443" } ], "repeated": 0, "id": 19080 }, { "timestamp": "2026-05-28 22:02:01,225", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19081 }, { "timestamp": "2026-05-28 22:02:01,271", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "592" }, { "name": "y", "value": "438" } ], "repeated": 1, "id": 19082 }, { "timestamp": "2026-05-28 22:02:01,271", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19083 }, { "timestamp": "2026-05-28 22:02:01,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "597" }, { "name": "y", "value": "434" } ], "repeated": 1, "id": 19084 }, { "timestamp": "2026-05-28 22:02:01,318", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19085 }, { "timestamp": "2026-05-28 22:02:01,350", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "598" }, { "name": "y", "value": "433" } ], "repeated": 1, "id": 19086 }, { "timestamp": "2026-05-28 22:02:01,350", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19087 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xe2\\xcd\\x9dQ\\x00\\x00\\x00\\x00\\x02\\x92\\x98hB\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19088 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00c\\xfb&\\x81\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xe7\\xc4\\xad\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xe7\\xc4\\xad\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x1b\\x84\\x8d\\x98\\x12\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00<\\xa1J\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00<]w\\x80\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19089 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19090 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19091 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 19092 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 19093 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19094 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19095 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19096 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19097 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19098 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a84" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00g\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x82A\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00}A\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x8d\\x1b<\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00/rD\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00C\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19099 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19100 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00^\\xe3]\\x00\\x00\\x00\\x00\\x00:v\\x08\\x00\\x00\\x00\\x00@\\x1b\\xba\\x0f\\x00\\x00\\x00\\x00\\xb7@\\xaa\\x10\\x00\\x00\\x00\\x00\\xb7\\xb2\\xb7\\x1a\\x00\\x00\\x00\\x00\\xe5d\\x00\\x00\\xf1\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\x03\\x00\\x00\\xb6\\xe4q\\x9c\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19101 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19102 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 19103 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 19104 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19105 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "x\\x07RR\\x00\\x00\\x00\\x00^/hiB\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19106 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19107 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xc8A\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x12\\x00\\x00 \\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 19108 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xc4\"d\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00*\\xa2F\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00M\\xd6*\\x81\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc5\\xce\\xad\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00h\\xb6:\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xcb\\x12{\\x80\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd4\\xce\\xad\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 19109 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b(\\x248\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00@T\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19110 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 19111 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19112 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19113 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19114 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19115 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19116 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 19117 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 19118 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19119 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19120 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19121 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19122 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19123 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19124 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19125 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19126 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19127 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19128 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19129 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19130 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19131 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19132 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19133 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19134 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19135 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19136 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19137 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19138 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 19139 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 19140 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 19141 }, { "timestamp": "2026-05-28 22:02:01,365", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19142 }, { "timestamp": "2026-05-28 22:02:01,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19143 }, { "timestamp": "2026-05-28 22:02:01,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19144 }, { "timestamp": "2026-05-28 22:02:01,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19145 }, { "timestamp": "2026-05-28 22:02:01,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "synchronization", "api": "NtAddAtomEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "AtomName", "value": "UxSubclassInfo" }, { "name": "Atom", "value": "0x0000c018" } ], "repeated": 0, "id": 19146 }, { "timestamp": "2026-05-28 22:02:01,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19147 }, { "timestamp": "2026-05-28 22:02:01,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19148 }, { "timestamp": "2026-05-28 22:02:01,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 19149 }, { "timestamp": "2026-05-28 22:02:01,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19150 }, { "timestamp": "2026-05-28 22:02:01,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19151 }, { "timestamp": "2026-05-28 22:02:02,287", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19152 }, { "timestamp": "2026-05-28 22:02:02,287", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19153 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 19154 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000f03ec" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 19155 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "n\\xe9\\xa3R\\x00\\x00\\x00\\x00tw\\xd6FC\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19156 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000004", "pretty_return": "INFO_LENGTH_MISMATCH", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19157 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19158 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xbc\\xc9\nS\\x00\\x00\\x00\\x00\\x10KCGC\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19159 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19160 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\x1e\\x85f\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb4m\\xac\\x82\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00eo\\xb7\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00v\\xddA\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x8e/\\x07\\x82\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00jo\\xb7\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 19161 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b(\\x21c\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00(^\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19162 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "33" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 19163 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19164 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19165 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19166 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19167 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xfe\\x8d\\xaa\\x82\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x99j\\xb7\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x99j\\xb7\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xd5q[\\xd0\\x12\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00k\\x81N\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00eO\\x08\\x82\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19168 }, { "timestamp": "2026-05-28 22:02:02,365", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19169 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19170 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 19171 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 19172 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19173 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19174 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19175 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19176 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19177 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19178 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19179 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a84" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x005\r\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00cB\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00^B\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd1>=\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x1e\\xf4D\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00D\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19180 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19181 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xa0\\xe6q\\x00\\x00\\x00\\x00\\x00\"\\x80\\x08\\x00\\x00\\x00\\x00\\xd6\\xd8@\\x1d\\x00\\x00\\x00\\x00\\xe3\\xa3\\xca\\x10\\x00\\x00\\x00\\x00\\xba8 \\x1b\\x00\\x00\\x00\\x00\\xb1g\\x00\\x002\r\\x00\\x00\\x00\\x00\\x00\\x00\\x8d\\x03\\x00\\x001\\xde\\x0c\\x9d\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19182 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19183 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 19184 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 19185 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xc8A\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x12\\x00\\x00 \\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 19186 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19187 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557a3000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19188 }, { "timestamp": "2026-05-28 22:02:02,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 19189 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9204" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19190 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19191 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9204" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19192 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19193 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9204" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19194 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19195 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19196 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19197 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19198 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19199 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9204" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19200 }, { "timestamp": "2026-05-28 22:02:02,428", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19201 }, { "timestamp": "2026-05-28 22:02:02,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19202 }, { "timestamp": "2026-05-28 22:02:02,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19203 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19204 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9204" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19205 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "BaseAddress", "value": "0x85d48de000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc05\\xc0AL\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb7AL\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb2AL\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x07\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\xd1\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x12\\xd1\\xf4}\\x00\\x00\\x00\\x00&\\xd3\\xf5}\\x00\\x00(\\x02'\\xd3\\xf5}\\x00\\x00P\\x06(\\xd3\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00ABL\\x02\\x00\\x00" } ], "repeated": 0, "id": 19206 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "BaseAddress", "value": "0x24c41c035c0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "p\\x0c\\x00\\x00p\\x0c\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0F\\xc0AL\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x08<\\xc0AL\\x02\\x00\\x00\\x10\\x05\\x12\\x05\\x00\\x00\\x00\\x00\\x82<\\xc0AL\\x02\\x00\\x00\\xf0'\\xc0AL\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x94A\\xc0AL\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\x0eB\\xc0AL\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00.B\\xc0AL\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19207 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "BaseAddress", "value": "0x24c41c03c82" }, { "name": "Size", "value": "0x00000510" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00c\\x00r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00-\\x00h\\x00a\\x00n\\x00d\\x00l\\x00e\\x00r\\x00 \\x00\"\\x00-\\x00-\\x00u\\x00s\\x00e\\x00r\\x00-\\x00d\\x00a\\x00t\\x00a\\x00-\\x00d\\x00i\\x00r\\x00=\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00" } ], "repeated": 0, "id": 19208 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19209 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9204" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19210 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19211 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19212 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xc0\\xe3T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00X\\xc0\\xe3T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xc0\\xe3T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x92\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4@\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19213 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19214 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19215 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9616" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\PPLinject64.exe" } ], "repeated": 0, "id": 19216 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19217 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9616" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\PPLinject64.exe" } ], "repeated": 0, "id": 19218 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19219 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9616" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\PPLinject64.exe" } ], "repeated": 0, "id": 19220 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19221 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 19222 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19223 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19224 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 19225 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19226 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19227 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19228 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19229 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 19230 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a88" } ], "repeated": 0, "id": 19231 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 19232 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 19233 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19234 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19235 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19236 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\_a4sjgfa\\bin\\pplinject64.exe" } ], "repeated": 1, "id": 19237 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\_a4sjgfa\\bin\\pplinject64.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19238 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x00037000" } ], "repeated": 0, "id": 19239 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 19240 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19241 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 19242 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19243 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 19244 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a84" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514b0000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19245 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19246 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\SystemResources\\imageres.dll.mui.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19247 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19248 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a88" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a84" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 19249 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a88" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19250 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 19251 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255952e40", "arguments": [ { "name": "Module", "value": "0x292514a0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 19252 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292559c6950", "arguments": [ { "name": "Module", "value": "0x292514a0002" }, { "name": "ResourceInfo", "value": "0x29255952e40" } ], "repeated": 0, "id": 19253 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29255948940", "arguments": [ { "name": "Module", "value": "0x292514a0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 19254 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292514a0002" }, { "name": "ResourceInfo", "value": "0x29255948940" } ], "repeated": 0, "id": 19255 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292559c64e8", "arguments": [ { "name": "Module", "value": "0x292514a0002" }, { "name": "ResourceInfo", "value": "0x29255948940" } ], "repeated": 0, "id": 19256 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 19257 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 19258 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 19259 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19260 }, { "timestamp": "2026-05-28 22:02:02,475", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 19261 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\_a4sjgfa\\bin\\PPLinject64.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19262 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x00037000" } ], "repeated": 0, "id": 19263 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 19264 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 19265 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 19266 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000aa0" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 19267 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19268 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 19269 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 19270 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 19271 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000aa0" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 19272 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19273 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000aa0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 19274 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000aa4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 19275 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19276 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 19277 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19278 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19279 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 19280 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0b\\xd5@\\xec\\xee\\xdc\\x01\\xad\\xc9\\x1fA\\xec\\xee\\xdc\\x01\\xad\\xc9\\x1fA\\xec\\xee\\xdc\\x01\\xad\\xc9\\x1fA\\xec\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x07\\x02\\x00\\x00\\x00\\x02\\x00_\\x00a\\x004\\x00s\\x00j\\x00g\\x00f\\x00a\\x00" }, { "name": "FileName", "value": "C:\\_a4sjgfa" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 19281 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19282 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9616" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\PPLinject64.exe" } ], "repeated": 0, "id": 19283 }, { "timestamp": "2026-05-28 22:02:02,490", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19284 }, { "timestamp": "2026-05-28 22:02:02,506", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19285 }, { "timestamp": "2026-05-28 22:02:02,506", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19286 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28f6c41", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 19287 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28f6c41", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000104e" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19288 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19289 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 2, "id": 19290 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000104e" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19291 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76ed40" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 19292 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19293 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19294 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000f03ec" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 19295 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19296 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19297 }, { "timestamp": "2026-05-28 22:02:02,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19298 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9616" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\PPLinject64.exe" } ], "repeated": 0, "id": 19299 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x315ead6000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xfeh\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p\\x1cy\\xf8Y\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\xf8Y\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\xf8Y\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x11\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\\xcb\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07'\\xcb\\xf4\\x7f\\x00\\x00\\x00\\x00;\\xcd\\xf5\\x7f\\x00\\x00(\\x02<\\xcd\\xf5\\x7f\\x00\\x00P\\x06=\\xcd\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19300 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x159f8791c70" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "J\\x07\\x00\\x00J\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x08\\x02\\x00\\x00\\x00\\x00 (y\\xf8Y\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xb8\"y\\xf8Y\\x01\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00\\xf8\"y\\xf8Y\\x01\\x00\\x00\\xe0\\x0fy\\xf8Y\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00X#y\\xf8Y\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\x98#y\\xf8Y\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xb8#y\\xf8Y\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19301 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x159f87922f8" }, { "name": "Size", "value": "0x0000005e" }, { "name": "Buffer", "value": "P\\x00P\\x00L\\x00i\\x00n\\x00j\\x00e\\x00c\\x00t\\x006\\x004\\x00.\\x00e\\x00x\\x00e\\x00 \\x005\\x009\\x002\\x00 \\x00C\\x00:\\x00\\\\x00_\\x00a\\x004\\x00s\\x00j\\x00g\\x00f\\x00a\\x00\\\\x00d\\x00l\\x00l\\x00\\\\x00t\\x00H\\x00n\\x00P\\x00b\\x00x\\x00s\\x00.\\x00d\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 19302 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19303 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9616" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\PPLinject64.exe" } ], "repeated": 0, "id": 19304 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19305 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19306 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90\\xf8\\xe7T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\xf8\\xe7T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf8\\xe7T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x95\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8bR\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19307 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19308 }, { "timestamp": "2026-05-28 22:02:02,600", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19309 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9632" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 19310 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19311 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9632" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 19312 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19313 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9632" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 19314 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19315 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19316 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 19317 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\conhost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19318 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Conhost.exe.mui" } ], "repeated": 0, "id": 19319 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000aa0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251580000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19320 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19321 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251580000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 19322 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19323 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x000db000" } ], "repeated": 0, "id": 19324 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19325 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 19326 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\conhost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19327 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\Conhost.exe.mui" } ], "repeated": 0, "id": 19328 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000aa0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251580000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19329 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19330 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251580000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 19331 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19332 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x000db000" } ], "repeated": 0, "id": 19333 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9632" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 19334 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x100377000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x88\\x99\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p\\x1c\\xdd\\xbe\\xc3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\xbe\\xc3\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\xbe\\xc3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\x0b\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xae\\x0b\\xf4}\\x00\\x00\\x00\\x00\\xc2\r\\xf5}\\x00\\x00(\\x02\\xc3\r\\xf5}\\x00\\x00P\\x06\\xc4\r\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00-\\xbf\\xc3\\x01\\x00\\x00" } ], "repeated": 0, "id": 19335 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x1c3bedd1c70" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "$\\x07\\x00\\x00$\\x07\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xf0'\\xdd\\xbe\\xc3\\x01\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xc0\"\\xdd\\xbe\\xc3\\x01\\x00\\x00N\\x00P\\x00\\x00\\x00\\x00\\x00\\x00#\\xdd\\xbe\\xc3\\x01\\x00\\x00\\xe0\\x0f\\xdd\\xbe\\xc3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00p#\\xdd\\xbe\\xc3\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00r#\\xdd\\xbe\\xc3\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x92#\\xdd\\xbe\\xc3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19336 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x1c3bedd2300" }, { "name": "Size", "value": "0x0000004e" }, { "name": "Buffer", "value": "\\\\x00?\\x00?\\x00\\\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00c\\x00o\\x00n\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x000\\x00x\\x004\\x00" } ], "repeated": 0, "id": 19337 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19338 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9632" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 19339 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19340 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19341 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90\\xf8\\xe7T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\xf8\\xe7T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf8\\xe7T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x96\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe7R\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19342 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19343 }, { "timestamp": "2026-05-28 22:02:02,615", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19344 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19345 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19346 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19347 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19348 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19349 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19350 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19351 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19352 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19353 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19354 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19355 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19356 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19357 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x63803a7000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06\\x00\\xf9\\x1e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe9\\xf8\\x1e\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\xf8\\x1e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xbf\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07x\\xbf\\xf4}\\x00\\x00\\x00\\x00\\x8c\\xc1\\xf5}\\x00\\x00(\\x02\\x8d\\xc1\\xf5}\\x00\\x00P\\x06\\x8e\\xc1\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00L\\x83\\x1e\\x02\\x00\\x00" } ], "repeated": 0, "id": 19358 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x21ef90036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xa6\\x0b\\x00\\x00\\xa6\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x10G\\x00\\xf9\\x1e\\x02\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=\\x00\\xf9\\x1e\\x02\\x00\\x00F\\x04H\\x04\\x00\\x00\\x00\\x00\\xb2=\\x00\\xf9\\x1e\\x02\\x00\\x00\\xf0'\\x00\\xf9\\x1e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xfaA\\x00\\xf9\\x1e\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00tB\\x00\\xf9\\x1e\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x94B\\x00\\xf9\\x1e\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19359 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "BaseAddress", "value": "0x21ef9003db2" }, { "name": "Size", "value": "0x00000446" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00n\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00-\\x00" } ], "repeated": 0, "id": 19360 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19361 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19362 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19363 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19364 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\xc0\\xe3T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00X\\xc0\\xe3T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\xc0\\xe3T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x97\\x00\\x00\\x00\\x00\\x00\\x00\\x00XT\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19365 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 19366 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19367 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 19368 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19369 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19370 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19371 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19372 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19373 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19374 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19375 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19376 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19377 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19378 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19379 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19380 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19381 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19382 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19383 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19384 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19385 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19386 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19387 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19388 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19389 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19390 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19391 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19392 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19393 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19394 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 19395 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 19396 }, { "timestamp": "2026-05-28 22:02:02,631", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 19397 }, { "timestamp": "2026-05-28 22:02:02,646", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19398 }, { "timestamp": "2026-05-28 22:02:02,709", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19399 }, { "timestamp": "2026-05-28 22:02:02,709", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19400 }, { "timestamp": "2026-05-28 22:02:02,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19401 }, { "timestamp": "2026-05-28 22:02:02,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76f620" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 19402 }, { "timestamp": "2026-05-28 22:02:02,709", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19403 }, { "timestamp": "2026-05-28 22:02:02,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19404 }, { "timestamp": "2026-05-28 22:02:02,725", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19405 }, { "timestamp": "2026-05-28 22:02:02,725", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19406 }, { "timestamp": "2026-05-28 22:02:02,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19407 }, { "timestamp": "2026-05-28 22:02:02,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19408 }, { "timestamp": "2026-05-28 22:02:02,740", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19409 }, { "timestamp": "2026-05-28 22:02:02,740", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19410 }, { "timestamp": "2026-05-28 22:02:02,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19411 }, { "timestamp": "2026-05-28 22:02:02,771", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19412 }, { "timestamp": "2026-05-28 22:02:02,771", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19413 }, { "timestamp": "2026-05-28 22:02:02,771", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 19414 }, { "timestamp": "2026-05-28 22:02:02,771", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19415 }, { "timestamp": "2026-05-28 22:02:02,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "599" }, { "name": "y", "value": "433" } ], "repeated": 0, "id": 19416 }, { "timestamp": "2026-05-28 22:02:02,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19417 }, { "timestamp": "2026-05-28 22:02:03,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x90\\x96\\xf2U\\x00\\x00\\x00\\x00\\x04\\x1f\\xb2!D\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19418 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000004", "pretty_return": "INFO_LENGTH_MISMATCH", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19419 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19420 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "~\\xd8\\x9cV\\x00\\x00\\x00\\x004\\x8dj\"D\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19421 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19422 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe4m5\\x85\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc2\\xf1\\xc0\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xc2\\xf1\\xc0\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xd6\\xae\\x12.\\x13\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xa9\\x03U\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x08\\xa0\\x85\\x84\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19423 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19424 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xd2Ik\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x000\\xba5\\x85\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x85\\xf2\\xc0\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00v\\xddA\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xc2\\xeb\\x0b\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb1\\xeb\\x85\\x84\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x8a\\xf2\\xc0\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 19425 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19426 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 19427 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xde\\xf8\\x9e\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00 \\x7f\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19428 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 19429 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 19430 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19431 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19432 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19433 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19434 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19435 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19436 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19437 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19438 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa4" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc5\r\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xfbB\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf6B\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf0x>\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x19\\x8dE\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00E\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19439 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19440 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x14\\x13t\\x00\\x00\\x00\\x00\\x00\\x1a\\xa1\\x08\\x00\\x00\\x00\\x00kU\\xc4\\x1e\\x00\\x00\\x00\\x00\\x15\\xbd6\\x11\\x00\\x00\\x00\\x00\\x1bXQ\\x1b\\x00\\x00\\x00\\x00Vj\\x00\\x00\\xa5\r\\x00\\x00\\x00\\x00\\x00\\x002\\x04\\x00\\x00\\xe9\\xe2\\xa4\\x9d\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19441 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19442 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 19443 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 19444 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 19445 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 19446 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925432b000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19447 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 19448 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 19449 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 19450 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca467", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542e5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19451 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28ca8a4", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254349000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19452 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9744" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19453 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19454 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9744" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19455 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19456 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19457 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9744" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19458 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19459 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 19460 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19461 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19462 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514a0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19463 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19464 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9744" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19465 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19466 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9744" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19467 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "BaseAddress", "value": "0x3785340000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06\\xa0\\xd0\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8e\\xd0\\xc8\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x87\\xd0\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x1f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9f\\x83\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x9f\\x83\\xf4}\\x00\\x00\\x00\\x00\\xb3\\x85\\xf5}\\x00\\x00(\\x02\\xb4\\x85\\xf5}\\x00\\x00P\\x06\\xb5\\x85\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xff\\xd1\\xc8\\x01\\x00\\x00" } ], "repeated": 0, "id": 19468 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "BaseAddress", "value": "0x1c8d0a036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x14\\x0c\\x00\\x00\\x14\\x0c\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x80G\\xa0\\xd0\\xc8\\x01\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=\\xa0\\xd0\\xc8\\x01\\x00\\x00\\xb4\\x04\\xb6\\x04\\x00\\x00\\x00\\x00\\xb2=\\xa0\\xd0\\xc8\\x01\\x00\\x00\\xf0'\\xa0\\xd0\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00hB\\xa0\\xd0\\xc8\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xe2B\\xa0\\xd0\\xc8\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x02C\\xa0\\xd0\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19469 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "BaseAddress", "value": "0x1c8d0a03db2" }, { "name": "Size", "value": "0x000004b4" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00g\\x00p\\x00u\\x00-\\x00p\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00-\\x00-\\x00g\\x00p\\x00u\\x00-\\x00p\\x00r\\x00e\\x00f\\x00e\\x00r\\x00e\\x00n\\x00c\\x00e\\x00s\\x00=\\x00S\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00D\\x00g\\x00A\\x00A\\x00A\\x00E\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00" } ], "repeated": 0, "id": 19470 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19471 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9744" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19472 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000aac" } ], "repeated": 0, "id": 19473 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19474 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xf0\\xe4T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xf0\\xe4T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf1\\xe4T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe2Z\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19475 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aac" } ], "repeated": 0, "id": 19476 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19477 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9756" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19478 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19479 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9756" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19480 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19481 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9756" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19482 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19483 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514b0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19484 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514b0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19485 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19486 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19487 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9756" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19488 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19489 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9756" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19490 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "BaseAddress", "value": "0x9346bf000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0,\\x00\\xcb\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe9\\xca\\x88\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe2\\xca\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd*\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xdd*\\xf4}\\x00\\x00\\x00\\x00\\xf1,\\xf5}\\x00\\x00(\\x02\\xf2,\\xf5}\\x00\\x00P\\x06\\xf3,\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19491 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "BaseAddress", "value": "0x188cb002cc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xee\\x0b\\x00\\x00\\xee\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00 =\\x00\\xcb\\x88\\x01\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x083\\x00\\xcb\\x88\\x01\\x00\\x00L\\x04N\\x04\\x00\\x00\\x00\\x00\\x823\\x00\\xcb\\x88\\x01\\x00\\x00\\xf0'\\x00\\xcb\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xd07\\x00\\xcb\\x88\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00J8\\x00\\xcb\\x88\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xac8\\x00\\xcb\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19492 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "BaseAddress", "value": "0x188cb003382" }, { "name": "Size", "value": "0x0000044c" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00s\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00-\\x00" } ], "repeated": 0, "id": 19493 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19494 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9756" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19495 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000aac" } ], "repeated": 0, "id": 19496 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19497 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xf0\\xe4T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xf0\\xe4T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf1\\xe4T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x99\\x00\\x00\\x00\\x00\\x00\\x00\\x001[\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19498 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aac" } ], "repeated": 0, "id": 19499 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19500 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9972" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19501 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19502 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9972" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19503 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19504 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9972" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19505 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19506 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19507 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19508 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19509 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19510 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9972" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19511 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19512 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9972" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19513 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x33d89a2000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0,`\\x18\\xb6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x18\\xb6\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\x18\\xb6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xee\\xb7\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xee\\xb7\\xf4}\\x00\\x00\\x00\\x00\\x02\\xba\\xf5}\\x00\\x00(\\x02\\x03\\xba\\xf5}\\x00\\x00P\\x06\\x04\\xba\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19514 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x1b618602cc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": ">\r\\x00\\x00>\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00p>`\\x18\\xb6\\x01\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x083`\\x18\\xb6\\x01\\x00\\x00\\x9c\\x05\\x9e\\x05\\x00\\x00\\x00\\x00\\x823`\\x18\\xb6\\x01\\x00\\x00\\xf0'`\\x18\\xb6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00 9`\\x18\\xb6\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00\\x9a9`\\x18\\xb6\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xfc9`\\x18\\xb6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19515 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x1b618603382" }, { "name": "Size", "value": "0x0000059c" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00r\\x00e\\x00n\\x00d\\x00e\\x00r\\x00e\\x00r\\x00 \\x00-\\x00-\\x00p\\x00d\\x00f\\x00-\\x00u\\x00p\\x00s\\x00e\\x00l\\x00l\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00d\\x00 \\x00-\\x00-\\x00v\\x00i\\x00d\\x00e\\x00o\\x00-\\x00c\\x00a\\x00p\\x00t\\x00u\\x00r\\x00e\\x00-\\x00u\\x00s\\x00e\\x00-\\x00g\\x00p\\x00u\\x00-\\x00m\\x00e\\x00m\\x00o\\x00" } ], "repeated": 0, "id": 19516 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19517 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9972" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19518 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab4" } ], "repeated": 0, "id": 19519 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19520 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xf0\\xe4T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xf0\\xe4T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf1\\xe4T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x9a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0ba\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19521 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 19522 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19523 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10004" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19524 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19525 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10004" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19526 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19527 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10004" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19528 }, { "timestamp": "2026-05-28 22:02:03,381", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19529 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19530 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19531 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 19532 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 19533 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10004" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19534 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19535 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10004" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19536 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0xb2f847c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0,\\xa0\\xaf\\xc1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8b\\xaf\\xc1\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\xaf\\xc1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\xf3\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x14\\xf3\\xf4}\\x00\\x00\\x00\\x00(\\xf5\\xf5}\\x00\\x00(\\x02)\\xf5\\xf5}\\x00\\x00P\\x06*\\xf5\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19537 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x1c1afa02cc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "(\r\\x00\\x00(\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00`>\\xa0\\xaf\\xc1\\x01\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x083\\xa0\\xaf\\xc1\\x01\\x00\\x00\\x86\\x05\\x88\\x05\\x00\\x00\\x00\\x00\\x823\\xa0\\xaf\\xc1\\x01\\x00\\x00\\xf0'\\xa0\\xaf\\xc1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\n9\\xa0\\xaf\\xc1\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00\\x849\\xa0\\xaf\\xc1\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xe69\\xa0\\xaf\\xc1\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19538 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x1c1afa03382" }, { "name": "Size", "value": "0x00000586" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00r\\x00e\\x00n\\x00d\\x00e\\x00r\\x00e\\x00r\\x00 \\x00-\\x00-\\x00p\\x00d\\x00f\\x00-\\x00u\\x00p\\x00s\\x00e\\x00l\\x00l\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00d\\x00 \\x00-\\x00-\\x00v\\x00i\\x00d\\x00e\\x00o\\x00-\\x00c\\x00a\\x00p\\x00t\\x00u\\x00r\\x00e\\x00-\\x00u\\x00s\\x00e\\x00-\\x00g\\x00p\\x00u\\x00-\\x00m\\x00e\\x00m\\x00o\\x00" } ], "repeated": 0, "id": 19539 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19540 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10004" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19541 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab4" } ], "repeated": 0, "id": 19542 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 19543 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0\\xf0\\xe4T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xf0\\xe4T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xf1\\xe4T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00$a\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19544 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 19545 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 19546 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 19547 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19548 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19549 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19550 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19551 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 19552 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 19553 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000aac" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 19554 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000aac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514a0000" }, { "name": "SectionOffset", "value": "0xf09e17d7e0" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19555 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19556 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19557 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19558 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19559 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19560 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19561 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19562 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19563 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19564 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19565 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19566 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19567 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19568 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19569 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19570 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19571 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19572 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19573 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19574 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19575 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19576 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19577 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19578 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19579 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19580 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19581 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19582 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 19583 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 19584 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 19585 }, { "timestamp": "2026-05-28 22:02:03,396", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19586 }, { "timestamp": "2026-05-28 22:02:03,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "598" }, { "name": "y", "value": "432" } ], "repeated": 0, "id": 19587 }, { "timestamp": "2026-05-28 22:02:03,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19588 }, { "timestamp": "2026-05-28 22:02:03,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19589 }, { "timestamp": "2026-05-28 22:02:03,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "596" }, { "name": "y", "value": "432" } ], "repeated": 0, "id": 19590 }, { "timestamp": "2026-05-28 22:02:03,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19591 }, { "timestamp": "2026-05-28 22:02:03,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "595" }, { "name": "y", "value": "432" } ], "repeated": 0, "id": 19592 }, { "timestamp": "2026-05-28 22:02:03,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19593 }, { "timestamp": "2026-05-28 22:02:03,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "594" }, { "name": "y", "value": "432" } ], "repeated": 0, "id": 19594 }, { "timestamp": "2026-05-28 22:02:03,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19595 }, { "timestamp": "2026-05-28 22:02:03,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "593" }, { "name": "y", "value": "434" } ], "repeated": 0, "id": 19596 }, { "timestamp": "2026-05-28 22:02:03,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19597 }, { "timestamp": "2026-05-28 22:02:03,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "591" }, { "name": "y", "value": "443" } ], "repeated": 0, "id": 19598 }, { "timestamp": "2026-05-28 22:02:03,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19599 }, { "timestamp": "2026-05-28 22:02:03,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "592" }, { "name": "y", "value": "468" } ], "repeated": 0, "id": 19600 }, { "timestamp": "2026-05-28 22:02:03,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "592" }, { "name": "y", "value": "470" } ], "repeated": 0, "id": 19601 }, { "timestamp": "2026-05-28 22:02:03,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19602 }, { "timestamp": "2026-05-28 22:02:03,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "592" }, { "name": "y", "value": "474" } ], "repeated": 0, "id": 19603 }, { "timestamp": "2026-05-28 22:02:03,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "600" }, { "name": "y", "value": "498" } ], "repeated": 0, "id": 19604 }, { "timestamp": "2026-05-28 22:02:03,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19605 }, { "timestamp": "2026-05-28 22:02:03,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "601" }, { "name": "y", "value": "500" } ], "repeated": 0, "id": 19606 }, { "timestamp": "2026-05-28 22:02:03,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19607 }, { "timestamp": "2026-05-28 22:02:03,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "603" }, { "name": "y", "value": "503" } ], "repeated": 0, "id": 19608 }, { "timestamp": "2026-05-28 22:02:03,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19609 }, { "timestamp": "2026-05-28 22:02:03,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "622" }, { "name": "y", "value": "533" } ], "repeated": 0, "id": 19610 }, { "timestamp": "2026-05-28 22:02:03,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "625" }, { "name": "y", "value": "536" } ], "repeated": 0, "id": 19611 }, { "timestamp": "2026-05-28 22:02:03,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19612 }, { "timestamp": "2026-05-28 22:02:03,756", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "628" }, { "name": "y", "value": "540" } ], "repeated": 0, "id": 19613 }, { "timestamp": "2026-05-28 22:02:03,756", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "634" }, { "name": "y", "value": "548" } ], "repeated": 0, "id": 19614 }, { "timestamp": "2026-05-28 22:02:03,756", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19615 }, { "timestamp": "2026-05-28 22:02:03,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "637" }, { "name": "y", "value": "550" } ], "repeated": 0, "id": 19616 }, { "timestamp": "2026-05-28 22:02:03,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "674" }, { "name": "y", "value": "586" } ], "repeated": 0, "id": 19617 }, { "timestamp": "2026-05-28 22:02:03,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "724" }, { "name": "y", "value": "624" } ], "repeated": 0, "id": 19618 }, { "timestamp": "2026-05-28 22:02:03,834", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254ea1000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19619 }, { "timestamp": "2026-05-28 22:02:03,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "724" }, { "name": "y", "value": "624" } ], "repeated": 0, "id": 19620 }, { "timestamp": "2026-05-28 22:02:03,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "729" }, { "name": "y", "value": "627" } ], "repeated": 0, "id": 19621 }, { "timestamp": "2026-05-28 22:02:03,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19622 }, { "timestamp": "2026-05-28 22:02:03,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "781" }, { "name": "y", "value": "660" } ], "repeated": 0, "id": 19623 }, { "timestamp": "2026-05-28 22:02:03,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "786" }, { "name": "y", "value": "664" } ], "repeated": 0, "id": 19624 }, { "timestamp": "2026-05-28 22:02:03,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "798" }, { "name": "y", "value": "673" } ], "repeated": 0, "id": 19625 }, { "timestamp": "2026-05-28 22:02:03,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19626 }, { "timestamp": "2026-05-28 22:02:03,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "804" }, { "name": "y", "value": "677" } ], "repeated": 0, "id": 19627 }, { "timestamp": "2026-05-28 22:02:03,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19628 }, { "timestamp": "2026-05-28 22:02:03,928", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "875" }, { "name": "y", "value": "729" } ], "repeated": 1, "id": 19629 }, { "timestamp": "2026-05-28 22:02:03,928", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19630 }, { "timestamp": "2026-05-28 22:02:03,928", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "884" }, { "name": "y", "value": "735" } ], "repeated": 0, "id": 19631 }, { "timestamp": "2026-05-28 22:02:03,928", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19632 }, { "timestamp": "2026-05-28 22:02:03,975", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "912" }, { "name": "y", "value": "751" } ], "repeated": 0, "id": 19633 }, { "timestamp": "2026-05-28 22:02:03,975", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19634 }, { "timestamp": "2026-05-28 22:02:03,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "914" }, { "name": "y", "value": "752" } ], "repeated": 0, "id": 19635 }, { "timestamp": "2026-05-28 22:02:03,990", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19636 }, { "timestamp": "2026-05-28 22:02:03,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "916" }, { "name": "y", "value": "753" } ], "repeated": 0, "id": 19637 }, { "timestamp": "2026-05-28 22:02:03,990", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19638 }, { "timestamp": "2026-05-28 22:02:04,006", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "918" }, { "name": "y", "value": "754" } ], "repeated": 0, "id": 19639 }, { "timestamp": "2026-05-28 22:02:04,006", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19640 }, { "timestamp": "2026-05-28 22:02:04,006", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "924" }, { "name": "y", "value": "758" } ], "repeated": 0, "id": 19641 }, { "timestamp": "2026-05-28 22:02:04,006", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19642 }, { "timestamp": "2026-05-28 22:02:04,053", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "933" }, { "name": "y", "value": "765" } ], "repeated": 0, "id": 19643 }, { "timestamp": "2026-05-28 22:02:04,053", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19644 }, { "timestamp": "2026-05-28 22:02:04,068", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "934" }, { "name": "y", "value": "765" } ], "repeated": 0, "id": 19645 }, { "timestamp": "2026-05-28 22:02:04,068", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19646 }, { "timestamp": "2026-05-28 22:02:04,068", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "934" }, { "name": "y", "value": "766" } ], "repeated": 0, "id": 19647 }, { "timestamp": "2026-05-28 22:02:04,068", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19648 }, { "timestamp": "2026-05-28 22:02:04,115", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "935" }, { "name": "y", "value": "766" } ], "repeated": 0, "id": 19649 }, { "timestamp": "2026-05-28 22:02:04,115", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19650 }, { "timestamp": "2026-05-28 22:02:04,131", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "936" }, { "name": "y", "value": "766" } ], "repeated": 0, "id": 19651 }, { "timestamp": "2026-05-28 22:02:04,131", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19652 }, { "timestamp": "2026-05-28 22:02:04,271", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "937" }, { "name": "y", "value": "766" } ], "repeated": 0, "id": 19653 }, { "timestamp": "2026-05-28 22:02:04,271", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19654 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "947" }, { "name": "y", "value": "768" } ], "repeated": 1, "id": 19655 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19656 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "948" }, { "name": "y", "value": "768" } ], "repeated": 0, "id": 19657 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19658 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "949" }, { "name": "y", "value": "768" } ], "repeated": 0, "id": 19659 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19660 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "951" }, { "name": "y", "value": "769" } ], "repeated": 0, "id": 19661 }, { "timestamp": "2026-05-28 22:02:04,318", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19662 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xfcX\\x0eX\\x00\\x00\\x00\\x00\\xb2:\\x9a\\xfcD\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19663 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19664 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x1a\t\\xc9X\\x00\\x00\\x00\\x00\\x16Bz\\xfdD\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19665 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19666 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xd2Ik\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x08\\xdc`\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdd\\x82\\x97\\x86\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc7t\\xca\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00v\\xddA\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1cN\\x0e\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x005\\xf0\\x00\\x86\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xdat\\xca\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 19667 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b^\\xf9\\x9e\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00 \\x88\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19668 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 19669 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19670 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19671 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19672 }, { "timestamp": "2026-05-28 22:02:04,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19673 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x81K\\x99\\x86\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00Xy\\xca\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00Xy\\xca\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00:\\xe4Oa\\x13\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xad\\x92X\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdf\\xb5\\x02\\x86\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19674 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19675 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19676 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 19677 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 19678 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19679 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19680 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19681 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19682 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19683 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "968" }, { "name": "y", "value": "772" } ], "repeated": 0, "id": 19684 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19685 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xfb\r\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x003C\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00.C\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00[\\xf5>\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00k\\xc3E\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00F\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19686 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa8" } ], "repeated": 0, "id": 19687 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x94\\x13t\\x00\\x00\\x00\\x00\\x00\\x1a\\xaa\\x08\\x00\\x00\\x00\\x00([\\xc4\\x1e\\x00\\x00\\x00\\x00\\xd7xG\\x11\\x00\\x00\\x00\\x00\\x10F\\xd9\\x1b\\x00\\x00\\x00\\x00Wj\\x00\\x00\\xb2\r\\x00\\x00\\x00\\x00\\x00\\x004\\x04\\x00\\x00\\xa3\\xb5=\\x9e\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19688 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19689 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 19690 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 19691 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 19692 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28ca817", "parentcaller": "0x7ff6c28ca1d6", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292542f3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19693 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 19694 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19695 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "970" }, { "name": "y", "value": "772" } ], "repeated": 0, "id": 19696 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 19697 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "971" }, { "name": "y", "value": "772" } ], "repeated": 0, "id": 19698 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19699 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19700 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19701 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19702 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19703 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19704 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19705 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19706 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19707 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19708 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19709 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19710 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19711 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19712 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19713 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19714 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19715 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19716 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19717 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19718 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19719 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19720 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19721 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19722 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19723 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19724 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19725 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19726 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19727 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19728 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 19729 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 19730 }, { "timestamp": "2026-05-28 22:02:04,381", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 19731 }, { "timestamp": "2026-05-28 22:02:04,396", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19732 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "990" }, { "name": "y", "value": "779" } ], "repeated": 1, "id": 19733 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19734 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "992" }, { "name": "y", "value": "780" } ], "repeated": 0, "id": 19735 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19736 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "995" }, { "name": "y", "value": "781" } ], "repeated": 0, "id": 19737 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19738 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "998" }, { "name": "y", "value": "781" } ], "repeated": 0, "id": 19739 }, { "timestamp": "2026-05-28 22:02:04,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19740 }, { "timestamp": "2026-05-28 22:02:04,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19741 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1021" }, { "name": "y", "value": "786" } ], "repeated": 0, "id": 19742 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1022" }, { "name": "y", "value": "786" } ], "repeated": 0, "id": 19743 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19744 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1024" }, { "name": "y", "value": "787" } ], "repeated": 0, "id": 19745 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19746 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1025" }, { "name": "y", "value": "787" } ], "repeated": 0, "id": 19747 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19748 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1027" }, { "name": "y", "value": "787" } ], "repeated": 0, "id": 19749 }, { "timestamp": "2026-05-28 22:02:04,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19750 }, { "timestamp": "2026-05-28 22:02:04,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1034" }, { "name": "y", "value": "789" } ], "repeated": 0, "id": 19751 }, { "timestamp": "2026-05-28 22:02:04,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19752 }, { "timestamp": "2026-05-28 22:02:04,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1035" }, { "name": "y", "value": "789" } ], "repeated": 0, "id": 19753 }, { "timestamp": "2026-05-28 22:02:04,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19754 }, { "timestamp": "2026-05-28 22:02:04,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1036" }, { "name": "y", "value": "789" } ], "repeated": 0, "id": 19755 }, { "timestamp": "2026-05-28 22:02:04,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19756 }, { "timestamp": "2026-05-28 22:02:04,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1042" }, { "name": "y", "value": "790" } ], "repeated": 0, "id": 19757 }, { "timestamp": "2026-05-28 22:02:04,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19758 }, { "timestamp": "2026-05-28 22:02:04,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1048" }, { "name": "y", "value": "793" } ], "repeated": 0, "id": 19759 }, { "timestamp": "2026-05-28 22:02:04,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19760 }, { "timestamp": "2026-05-28 22:02:04,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1049" }, { "name": "y", "value": "793" } ], "repeated": 0, "id": 19761 }, { "timestamp": "2026-05-28 22:02:04,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19762 }, { "timestamp": "2026-05-28 22:02:04,709", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1050" }, { "name": "y", "value": "793" } ], "repeated": 0, "id": 19763 }, { "timestamp": "2026-05-28 22:02:04,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19764 }, { "timestamp": "2026-05-28 22:02:04,725", "thread_id": "8568", "caller": "0x7ff6c28b50a7", "parentcaller": "0x7ff6c28b501f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "DPA_Destroy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e7d170" } ], "repeated": 0, "id": 19765 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "T\\x9f\\x15Y\\x00\\x00\\x00\\x00\\x8a\\xf8\\x81\\xd7E\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19766 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19767 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xea@oY\\x00\\x00\\x00\\x00\\xa8\\x9a\\xdb\\xd7E\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19768 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19769 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xd2Ik\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x08\\xdc`\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc6\\xde\\xe3\\x87\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xf7\\xee\\xd3\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00v\\xddA\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1cN\\x0e\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdb\\xd3L\\x87\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xfd\\xee\\xd3\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 19770 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bn\\xfa\\x9e\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x98\\x8c\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19771 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 19772 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19773 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19774 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19775 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19776 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x93V\\xe4\\x87\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00)\\xf0\\xd3\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00)\\xf0\\xd3\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00=%\\xfa\\x90\\x13\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00%\\xe2[\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x19QM\\x87\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19777 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19778 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19779 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 19780 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 19781 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19782 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19783 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19784 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19785 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19786 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19787 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19788 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa4" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19789 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19790 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19791 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19792 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19793 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa4" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x02\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00;C\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x006C\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa6\\xf7>\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xfa\\xc5E\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00G\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19794 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19795 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa4" } ], "repeated": 0, "id": 19796 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19797 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xa4\\x14t\\x00\\x00\\x00\\x00\\x00\\x92\\xae\\x08\\x00\\x00\\x00\\x00\\xf9\\xba\\xc4\\x1e\\x00\\x00\\x00\\x00~\\xbeY\\x11\\x00\\x00\\x00\\x00t\\xec\\\\x1c\\x00\\x00\\x00\\x00bj\\x00\\x00\\xe2\r\\x00\\x00\\x00\\x00\\x00\\x006\\x04\\x00\\x00\\xd5\\xb1\\xd4\\x9e\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19798 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19799 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19800 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 19801 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 19802 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 19803 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19804 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19805 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19806 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19807 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19808 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 19809 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19810 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19811 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19812 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19813 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19814 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19815 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19816 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19817 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19818 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19819 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19820 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19821 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19822 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19823 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19824 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19825 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254ac7ad0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 19826 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 19827 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 19828 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 19829 }, { "timestamp": "2026-05-28 22:02:05,365", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254ac7fe0", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254ac7ad0" }, { "name": "ServiceName", "value": "MicrosoftEdgeElevationService" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 19830 }, { "timestamp": "2026-05-28 22:02:05,381", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254ac8070", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 19831 }, { "timestamp": "2026-05-28 22:02:05,381", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254ac7da0", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254ac8070" }, { "name": "ServiceName", "value": "MicrosoftEdgeElevationService" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 19832 }, { "timestamp": "2026-05-28 22:02:05,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19833 }, { "timestamp": "2026-05-28 22:02:05,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1051" }, { "name": "y", "value": "793" } ], "repeated": 0, "id": 19834 }, { "timestamp": "2026-05-28 22:02:05,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19835 }, { "timestamp": "2026-05-28 22:02:05,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1051" }, { "name": "y", "value": "792" } ], "repeated": 0, "id": 19836 }, { "timestamp": "2026-05-28 22:02:05,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19837 }, { "timestamp": "2026-05-28 22:02:05,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1052" }, { "name": "y", "value": "792" } ], "repeated": 0, "id": 19838 }, { "timestamp": "2026-05-28 22:02:05,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19839 }, { "timestamp": "2026-05-28 22:02:06,053", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1052" }, { "name": "y", "value": "791" } ], "repeated": 0, "id": 19840 }, { "timestamp": "2026-05-28 22:02:06,053", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19841 }, { "timestamp": "2026-05-28 22:02:06,068", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1053" }, { "name": "y", "value": "790" } ], "repeated": 0, "id": 19842 }, { "timestamp": "2026-05-28 22:02:06,068", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19843 }, { "timestamp": "2026-05-28 22:02:06,100", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1053" }, { "name": "y", "value": "789" } ], "repeated": 0, "id": 19844 }, { "timestamp": "2026-05-28 22:02:06,100", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19845 }, { "timestamp": "2026-05-28 22:02:06,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1054" }, { "name": "y", "value": "788" } ], "repeated": 0, "id": 19846 }, { "timestamp": "2026-05-28 22:02:06,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1054" }, { "name": "y", "value": "787" } ], "repeated": 0, "id": 19847 }, { "timestamp": "2026-05-28 22:02:06,318", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19848 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1054" }, { "name": "y", "value": "786" } ], "repeated": 0, "id": 19849 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19850 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xd4,\\x95Y\\x00\\x00\\x00\\x00215\\xb3F\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19851 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 19852 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x08\\xb3\\xd4Y\\x00\\x00\\x00\\x00X\\x08x\\xb3F\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19853 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19854 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xd2Ik\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x08\\xdc`\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00f\\xa8+\\x89\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x0cw\\xdd\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00v\\xddA\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1cN\\x0e\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdd\\xfe\\xa4\\x88\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x11w\\xdd\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 19855 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x90*\\x9f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x006\\x93\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19856 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 19857 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19858 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19859 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 19860 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19861 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00 \t,\\x89\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x04x\\xdd\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x04x\\xdd\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xfa\\x12)\\xc0\\x13\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\r)_\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xf5^\\xa5\\x88\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19862 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19863 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19864 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 19865 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 19866 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19867 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19868 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19869 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19870 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19871 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a9c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00#\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\C\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00WC\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa1\\x17?\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00d\\x1aF\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00H\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19872 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 19873 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xc6Dt\\x00\\x00\\x00\\x00\\x000\\xb5\\x08\\x00\\x00\\x00\\x00\\xa9b\\xcb\\x1e\\x00\\x00\\x00\\x00Y\\x19u\\x11\\x00\\x00\\x00\\x00\\xe5\\x01\\xe0\\x1c\\x00\\x00\\x00\\x00\\x88j\\x00\\x00\\x06\\x0e\\x00\\x00\\x00\\x00\\x00\\x00>\\x04\\x00\\x00\\x16Hm\\x9f\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19874 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 19875 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 19876 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 19877 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 19878 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 19879 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 19880 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 19881 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19882 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19883 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19884 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19885 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19886 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19887 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19888 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19889 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19890 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19891 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19892 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19893 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19894 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19895 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19896 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19897 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19898 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19899 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19900 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19901 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19902 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19903 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19904 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19905 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19906 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 19907 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 19908 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 19909 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 19910 }, { "timestamp": "2026-05-28 22:02:06,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 19911 }, { "timestamp": "2026-05-28 22:02:06,381", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 19912 }, { "timestamp": "2026-05-28 22:02:06,381", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 19913 }, { "timestamp": "2026-05-28 22:02:06,381", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 19914 }, { "timestamp": "2026-05-28 22:02:06,381", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19915 }, { "timestamp": "2026-05-28 22:02:06,396", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1055" }, { "name": "y", "value": "786" } ], "repeated": 0, "id": 19916 }, { "timestamp": "2026-05-28 22:02:06,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19917 }, { "timestamp": "2026-05-28 22:02:06,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1055" }, { "name": "y", "value": "785" } ], "repeated": 0, "id": 19918 }, { "timestamp": "2026-05-28 22:02:06,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19919 }, { "timestamp": "2026-05-28 22:02:06,443", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1055" }, { "name": "y", "value": "784" } ], "repeated": 0, "id": 19920 }, { "timestamp": "2026-05-28 22:02:06,443", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19921 }, { "timestamp": "2026-05-28 22:02:06,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 19922 }, { "timestamp": "2026-05-28 22:02:06,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1055" }, { "name": "y", "value": "783" } ], "repeated": 0, "id": 19923 }, { "timestamp": "2026-05-28 22:02:06,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19924 }, { "timestamp": "2026-05-28 22:02:06,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1055" }, { "name": "y", "value": "782" } ], "repeated": 0, "id": 19925 }, { "timestamp": "2026-05-28 22:02:06,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19926 }, { "timestamp": "2026-05-28 22:02:06,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1056" }, { "name": "y", "value": "777" } ], "repeated": 1, "id": 19927 }, { "timestamp": "2026-05-28 22:02:06,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19928 }, { "timestamp": "2026-05-28 22:02:06,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1056" }, { "name": "y", "value": "776" } ], "repeated": 0, "id": 19929 }, { "timestamp": "2026-05-28 22:02:06,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19930 }, { "timestamp": "2026-05-28 22:02:06,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1056" }, { "name": "y", "value": "775" } ], "repeated": 0, "id": 19931 }, { "timestamp": "2026-05-28 22:02:06,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1056" }, { "name": "y", "value": "774" } ], "repeated": 0, "id": 19932 }, { "timestamp": "2026-05-28 22:02:06,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19933 }, { "timestamp": "2026-05-28 22:02:06,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1055" }, { "name": "y", "value": "769" } ], "repeated": 0, "id": 19934 }, { "timestamp": "2026-05-28 22:02:06,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19935 }, { "timestamp": "2026-05-28 22:02:06,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1054" }, { "name": "y", "value": "768" } ], "repeated": 0, "id": 19936 }, { "timestamp": "2026-05-28 22:02:06,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19937 }, { "timestamp": "2026-05-28 22:02:06,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1051" }, { "name": "y", "value": "761" } ], "repeated": 0, "id": 19938 }, { "timestamp": "2026-05-28 22:02:06,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19939 }, { "timestamp": "2026-05-28 22:02:06,631", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1040" }, { "name": "y", "value": "743" } ], "repeated": 1, "id": 19940 }, { "timestamp": "2026-05-28 22:02:06,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19941 }, { "timestamp": "2026-05-28 22:02:06,631", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1037" }, { "name": "y", "value": "742" } ], "repeated": 0, "id": 19942 }, { "timestamp": "2026-05-28 22:02:06,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19943 }, { "timestamp": "2026-05-28 22:02:06,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1024" }, { "name": "y", "value": "728" } ], "repeated": 0, "id": 19944 }, { "timestamp": "2026-05-28 22:02:06,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19945 }, { "timestamp": "2026-05-28 22:02:06,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1022" }, { "name": "y", "value": "726" } ], "repeated": 0, "id": 19946 }, { "timestamp": "2026-05-28 22:02:06,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19947 }, { "timestamp": "2026-05-28 22:02:06,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1021" }, { "name": "y", "value": "725" } ], "repeated": 0, "id": 19948 }, { "timestamp": "2026-05-28 22:02:06,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19949 }, { "timestamp": "2026-05-28 22:02:06,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1020" }, { "name": "y", "value": "723" } ], "repeated": 0, "id": 19950 }, { "timestamp": "2026-05-28 22:02:06,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19951 }, { "timestamp": "2026-05-28 22:02:06,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1003" }, { "name": "y", "value": "710" } ], "repeated": 0, "id": 19952 }, { "timestamp": "2026-05-28 22:02:06,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19953 }, { "timestamp": "2026-05-28 22:02:06,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1000" }, { "name": "y", "value": "709" } ], "repeated": 0, "id": 19954 }, { "timestamp": "2026-05-28 22:02:06,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19955 }, { "timestamp": "2026-05-28 22:02:06,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "998" }, { "name": "y", "value": "708" } ], "repeated": 0, "id": 19956 }, { "timestamp": "2026-05-28 22:02:06,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19957 }, { "timestamp": "2026-05-28 22:02:06,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "997" }, { "name": "y", "value": "707" } ], "repeated": 0, "id": 19958 }, { "timestamp": "2026-05-28 22:02:06,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19959 }, { "timestamp": "2026-05-28 22:02:06,756", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "989" }, { "name": "y", "value": "702" } ], "repeated": 1, "id": 19960 }, { "timestamp": "2026-05-28 22:02:06,756", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19961 }, { "timestamp": "2026-05-28 22:02:06,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "972" }, { "name": "y", "value": "688" } ], "repeated": 0, "id": 19962 }, { "timestamp": "2026-05-28 22:02:06,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19963 }, { "timestamp": "2026-05-28 22:02:06,818", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "970" }, { "name": "y", "value": "687" } ], "repeated": 0, "id": 19964 }, { "timestamp": "2026-05-28 22:02:06,818", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19965 }, { "timestamp": "2026-05-28 22:02:06,818", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "955" }, { "name": "y", "value": "677" } ], "repeated": 0, "id": 19966 }, { "timestamp": "2026-05-28 22:02:06,818", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19967 }, { "timestamp": "2026-05-28 22:02:06,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "948" }, { "name": "y", "value": "673" } ], "repeated": 0, "id": 19968 }, { "timestamp": "2026-05-28 22:02:06,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19969 }, { "timestamp": "2026-05-28 22:02:06,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "933" }, { "name": "y", "value": "661" } ], "repeated": 0, "id": 19970 }, { "timestamp": "2026-05-28 22:02:06,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19971 }, { "timestamp": "2026-05-28 22:02:06,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "928" }, { "name": "y", "value": "660" } ], "repeated": 0, "id": 19972 }, { "timestamp": "2026-05-28 22:02:06,881", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19973 }, { "timestamp": "2026-05-28 22:02:06,881", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "908" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 19974 }, { "timestamp": "2026-05-28 22:02:06,912", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "897" }, { "name": "y", "value": "642" } ], "repeated": 0, "id": 19975 }, { "timestamp": "2026-05-28 22:02:06,912", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19976 }, { "timestamp": "2026-05-28 22:02:06,943", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "896" }, { "name": "y", "value": "641" } ], "repeated": 0, "id": 19977 }, { "timestamp": "2026-05-28 22:02:06,943", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19978 }, { "timestamp": "2026-05-28 22:02:06,943", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "894" }, { "name": "y", "value": "641" } ], "repeated": 0, "id": 19979 }, { "timestamp": "2026-05-28 22:02:06,943", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19980 }, { "timestamp": "2026-05-28 22:02:06,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "893" }, { "name": "y", "value": "641" } ], "repeated": 0, "id": 19981 }, { "timestamp": "2026-05-28 22:02:06,990", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19982 }, { "timestamp": "2026-05-28 22:02:07,068", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "890" }, { "name": "y", "value": "641" } ], "repeated": 0, "id": 19983 }, { "timestamp": "2026-05-28 22:02:07,068", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19984 }, { "timestamp": "2026-05-28 22:02:07,100", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "882" }, { "name": "y", "value": "640" } ], "repeated": 0, "id": 19985 }, { "timestamp": "2026-05-28 22:02:07,100", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19986 }, { "timestamp": "2026-05-28 22:02:07,131", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "881" }, { "name": "y", "value": "640" } ], "repeated": 0, "id": 19987 }, { "timestamp": "2026-05-28 22:02:07,131", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19988 }, { "timestamp": "2026-05-28 22:02:07,131", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "877" }, { "name": "y", "value": "639" } ], "repeated": 0, "id": 19989 }, { "timestamp": "2026-05-28 22:02:07,131", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19990 }, { "timestamp": "2026-05-28 22:02:07,162", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "876" }, { "name": "y", "value": "639" } ], "repeated": 0, "id": 19991 }, { "timestamp": "2026-05-28 22:02:07,162", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19992 }, { "timestamp": "2026-05-28 22:02:07,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "876" }, { "name": "y", "value": "638" } ], "repeated": 0, "id": 19993 }, { "timestamp": "2026-05-28 22:02:07,318", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 19994 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x00?\\xf6Y\\x00\\x00\\x00\\x00\\xf0\\xc9T\\x8fG\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 19995 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9cp\\x1f\\x8b\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xba\\x02\\xe7\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xba\\x02\\xe7\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00J\\x1d\\x11\\x08\\x14\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x87'd\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa9\\xd2\\xc4\\x8a\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 19996 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19997 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 19998 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 19999 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 20000 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20001 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 20002 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20003 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 20004 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 20005 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 20006 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a9c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc1D\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xbcD\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00k\\xb0?\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00W\\xa4K\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00I\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20007 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 20008 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 20009 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x1cgt\\x00\\x00\\x00\\x00\\x00\\x88\\xce\\x08\\x00\\x00\\x00\\x00?\\x8f\\xd0\\x1e\\x00\\x00\\x00\\x00\\xfeX\\xa4\\x11\\x00\\x00\\x00\\x00r\\x12I\\x1d\\x00\\x00\\x00\\x00\\xeej\\x00\\x00+\\x0e\\x00\\x00\\x00\\x00\\x00\\x00D\\x04\\x00\\x00\\xa4\\xd9\\x05\\xa0\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20010 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 20011 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00,\\xacm\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x08\\xdc`\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00>4 \\x8b\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xaf\\x04\\xe7\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xd0?D\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1cN\\x0e\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00d\\x96\\xc5\\x8a\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xb4\\x04\\xe7\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 20012 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 20013 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xe6L\\x9f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x8e\\xac\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20014 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 20015 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 20016 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 20017 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 20018 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20019 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 20020 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 20021 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 20022 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 20023 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20024 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20025 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20026 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20027 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20028 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20029 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20030 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20031 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20032 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20033 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20034 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20035 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20036 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20037 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20038 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20039 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20040 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20041 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20042 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20043 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20044 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20045 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20046 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20047 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20048 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20049 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20050 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20051 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20052 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20053 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 20054 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 20055 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 20056 }, { "timestamp": "2026-05-28 22:02:07,365", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 20057 }, { "timestamp": "2026-05-28 22:02:07,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 20058 }, { "timestamp": "2026-05-28 22:02:07,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 20059 }, { "timestamp": "2026-05-28 22:02:07,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253ba9000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20060 }, { "timestamp": "2026-05-28 22:02:07,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 20061 }, { "timestamp": "2026-05-28 22:02:07,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "876" }, { "name": "y", "value": "638" } ], "repeated": 0, "id": 20062 }, { "timestamp": "2026-05-28 22:02:07,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 20063 }, { "timestamp": "2026-05-28 22:02:07,475", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 20064 }, { "timestamp": "2026-05-28 22:02:07,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "876" }, { "name": "y", "value": "638" } ], "repeated": 0, "id": 20065 }, { "timestamp": "2026-05-28 22:02:07,490", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 20066 }, { "timestamp": "2026-05-28 22:02:07,490", "thread_id": "1496", "caller": "0x7ff6c28dbac0", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 20067 }, { "timestamp": "2026-05-28 22:02:07,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 20068 }, { "timestamp": "2026-05-28 22:02:07,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "876" }, { "name": "y", "value": "638" } ], "repeated": 0, "id": 20069 }, { "timestamp": "2026-05-28 22:02:07,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 20070 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76f620" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 20071 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "876" }, { "name": "y", "value": "638" } ], "repeated": 1, "id": 20072 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c28fb0d5", "parentcaller": "0x7ff6c28d6f98", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e3" } ], "repeated": 0, "id": 20073 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c2923b25", "parentcaller": "0x7ff6c290e089", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x2924e1b1778", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "Type", "value": "#4" }, { "name": "Name", "value": "#30206" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 20074 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c2923b25", "parentcaller": "0x7ff6c290e089", "category": "misc", "api": "LoadResource", "status": true, "return": "0x2924e1b2a9c", "arguments": [ { "name": "Module", "value": "0x7ff6c28b0000" }, { "name": "ResourceInfo", "value": "0x2924e1b1778" } ], "repeated": 0, "id": 20075 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c2902662", "parentcaller": "0x7ff6c28f72bb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 20076 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c2902662", "parentcaller": "0x7ff6c28f72bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "NoRun" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" } ], "repeated": 0, "id": 20077 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c2902662", "parentcaller": "0x7ff6c28f72bb", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 20078 }, { "timestamp": "2026-05-28 22:02:07,584", "thread_id": "1496", "caller": "0x7ff6c2902662", "parentcaller": "0x7ff6c28f72bb", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 20079 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xc0`UZ\\x00\\x00\\x00\\x00fH\\xaeiH\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 20080 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 20081 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xc4\\xed\\x93Z\\x00\\x00\\x00\\x00\\xb2\\x06\\xefiH\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 20082 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 20083 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xe0pr\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00b>c\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00|\\xfbv\\x8e\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x08\\x7f\\xf0\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xd0?D\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1cN\\x0e\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00t\\x1e\\xd2\\x8d\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x0e\\x7f\\xf0\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 20084 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xa6W\\x9f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x98\\xce\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20085 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "39" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 20086 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20087 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20088 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20089 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20090 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xab\\xc5u\\x8e\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xef{\\xf0\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xef{\\xf0\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00'\\xcd\\x13\\x83\\x14\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x9e\\xb2l\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x14x\\xd2\\x8d\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20091 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 20092 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 20093 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 20094 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 20095 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20096 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20097 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20098 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20099 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 20100 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a84" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc9\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xb5F\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb0F\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x005a@\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc1\\x96T\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00J\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20101 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20102 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xdcqt\\x00\\x00\\x00\\x00\\x00\\xf2\\xeb\\x08\\x00\\x00\\x00\\x00\\xf2\\xf9\\xee\\x1e\\x00\\x00\\x00\\x00\\xd9\\x11\\xe0\\x11\\x00\\x00\\x00\\x00Hu\\xb5\\x1d\\x00\\x00\\x00\\x00(k\\x00\\x00Q\\x0e\\x00\\x00\\x01\\x00\\x00\\x00O\\x04\\x00\\x00cQ\\x9d\\xa0\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20103 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 20104 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 20105 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 20106 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 20107 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 20108 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 20109 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 20110 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20111 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20112 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20113 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20114 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20115 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20116 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20117 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20118 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20119 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20120 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20121 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20122 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20123 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20124 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20125 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20126 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20127 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20128 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20129 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20130 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20131 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20132 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20133 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20134 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20135 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20136 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20137 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20138 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20139 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20140 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 20141 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 20142 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 20143 }, { "timestamp": "2026-05-28 22:02:08,365", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 20144 }, { "timestamp": "2026-05-28 22:02:08,506", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 20145 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "x+\\xb6Z\\x00\\x00\\x00\\x00p\\xdasFI\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 20146 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 20147 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x14k\\xfbZ\\x00\\x00\\x00\\x00\\x84Y\\xb9FI\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 20148 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 20149 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xe0pr\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00b>c\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x1a85\\x92\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x1e\\x14\\xfa\\x02\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00*\\xa2F\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1cN\\x0e\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc7Z\\x90\\x91\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00$\\x14\\xfa\\x02\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 20150 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b^h\\x9f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x000\\xd9\n\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20151 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "39" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 20152 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20153 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20154 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20155 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20156 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00|\\x1f4\\x92\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00P\\x11\\xfa\\x02S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00P\\x11\\xfa\\x02)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x1a\\x9d\\x10\r\\x15\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xffGv\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc0A\\x8f\\x91\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20157 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 20158 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 20159 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 20160 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 20161 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20162 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 20163 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20164 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 20165 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a7c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 20166 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a7c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x82\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x8cK\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x87K\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x98\\xa1@\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x0ffp\\x01\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00K\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20167 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a7c" } ], "repeated": 0, "id": 20168 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x94\\x82t\\x00\\x00\\x00\\x00\\x00*\\xfb\\x08\\x00\\x00\\x00\\x00q\\x05\\xf5\\x1e\\x00\\x00\\x00\\x00\\xa6\\xea9\\x12\\x00\\x00\\x00\\x00\\x95\\xf6#\\x1e\\x00\\x00\\x00\\x00Yk\\x00\\x00}\\x0e\\x00\\x00\\x00\\x00\\x00\\x00]\\x04\\x00\\x00x\\x077\\xa1\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20169 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 20170 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 20171 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 20172 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 20173 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 20174 }, { "timestamp": "2026-05-28 22:02:09,365", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 20175 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10420" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20176 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20177 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10420" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20178 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20179 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10420" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20180 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20181 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 20182 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 20183 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 20184 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 20185 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10420" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20186 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20187 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10420" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20188 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "BaseAddress", "value": "0x4585f2d000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06@d\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00+d\\xc8\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00%d\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff?\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc1\\xa2\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xc1\\xa2\\xf4}\\x00\\x00\\x00\\x00\\xd5\\xa4\\xf5}\\x00\\x00(\\x02\\xd6\\xa4\\xf5}\\x00\\x00P\\x06\\xd7\\xa4\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xe4g\\xc8\\x01\\x00\\x00" } ], "repeated": 0, "id": 20189 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "BaseAddress", "value": "0x1c8644036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xdc\\x0b\\x00\\x00\\xdc\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00@G@d\\xc8\\x01\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=@d\\xc8\\x01\\x00\\x00:\\x04<\\x04\\x00\\x00\\x00\\x00\\xb2=@d\\xc8\\x01\\x00\\x00\\xf0'@d\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xeeA@d\\xc8\\x01\\x00\\x00`\\x00b\\x00\\x00\\x00\\x00\\x00hB@d\\xc8\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xcaB@d\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20190 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "BaseAddress", "value": "0x1c864403db2" }, { "name": "Size", "value": "0x0000043a" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00a\\x00u\\x00d\\x00i\\x00o\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00A\\x00u\\x00d\\x00i\\x00o\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00-\\x00l\\x00a\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 20191 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20192 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10420" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 20193 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a88" } ], "repeated": 0, "id": 20194 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 20195 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00P\\xea\\xe4T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00x\\xea\\xe4T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xea\\xe4T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x9d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xef\\x97\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 20196 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a88" } ], "repeated": 0, "id": 20197 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 20198 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 20199 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20200 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20201 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20202 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20203 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20204 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20205 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20206 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20207 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20208 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20209 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20210 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20211 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20212 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20213 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20214 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20215 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20216 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20217 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20218 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20219 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20220 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20221 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20222 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20223 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20224 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 20225 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 20226 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 20227 }, { "timestamp": "2026-05-28 22:02:09,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 20228 }, { "timestamp": "2026-05-28 22:02:09,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 20229 }, { "timestamp": "2026-05-28 22:02:09,412", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 20230 }, { "timestamp": "2026-05-28 22:02:09,412", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 20231 }, { "timestamp": "2026-05-28 22:02:09,412", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 20232 }, { "timestamp": "2026-05-28 22:02:09,412", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 20233 }, { "timestamp": "2026-05-28 22:02:09,490", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 20234 }, { "timestamp": "2026-05-28 22:02:10,365", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "X\\xf4i[\\x00\\x00\\x00\\x00@e\\xa3\\x02\\x00\\x00\\xf0'@e\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x00\\xa8\\x00\\x00\\x00\\x00\\x00>C@e\\xa3\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xe6C@e\\xa3\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x06D@e\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21010 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x2a365403e96" }, { "name": "Size", "value": "0x000004a6" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x001\\x004\\x008\\x00.\\x000\\x00.\\x003\\x009\\x006\\x007\\x00.\\x008\\x003\\x00\\\\x00i\\x00d\\x00e\\x00n\\x00t\\x00i\\x00t\\x00y\\x00_\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00w\\x00i\\x00n\\x00r\\x00t\\x00_\\x00a\\x00p\\x00" } ], "repeated": 0, "id": 21011 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21012 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21013 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21014 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21015 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00`\\xa4sT\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\xa5sT\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa5sT\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x004\\xa6sT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa6sT\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00P\\xa6sT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xa6sT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00x\\xa6sT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xa6sT\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00P\\xa5sT\\x92\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xd6\\xa5sT\\x92\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xdc\\xa5sT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 21016 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21017 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21018 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1083" }, { "name": "y", "value": "655" } ], "repeated": 0, "id": 21019 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21020 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1081" }, { "name": "y", "value": "655" } ], "repeated": 0, "id": 21021 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21022 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1080" }, { "name": "y", "value": "654" } ], "repeated": 0, "id": 21023 }, { "timestamp": "2026-05-28 22:02:12,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21024 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1078" }, { "name": "y", "value": "654" } ], "repeated": 0, "id": 21025 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21026 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1075" }, { "name": "y", "value": "654" } ], "repeated": 0, "id": 21027 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21028 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1072" }, { "name": "y", "value": "653" } ], "repeated": 0, "id": 21029 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1070" }, { "name": "y", "value": "652" } ], "repeated": 0, "id": 21030 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21031 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1068" }, { "name": "y", "value": "652" } ], "repeated": 0, "id": 21032 }, { "timestamp": "2026-05-28 22:02:12,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21033 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21034 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "7832", "caller": "0x7ff6c28b3bb5", "parentcaller": "0x00000000", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292546fa000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21035 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21036 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21037 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21038 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21039 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21040 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21041 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21042 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21043 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21044 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21045 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21046 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21047 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21048 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21049 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21050 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21051 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21052 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21053 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21054 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21055 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21056 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21057 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21058 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21059 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21060 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21061 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21062 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21063 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21064 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21065 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21066 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21067 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21068 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c837c", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21069 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21070 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21071 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c8392", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xd0\\xbboT\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00p\\xbcoT\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xbcoT\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xa4\\xbdoT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xbdoT\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xc0\\xbdoT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xbdoT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xbdoT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xbeoT\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xc0\\xbcoT\\x92\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00F\\xbdoT\\x92\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00L\\xbdoT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 21072 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c8392", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21073 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c83a8", "parentcaller": "0x7ff6c28c8427", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21074 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 21075 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21076 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 21077 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00H\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21078 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 21079 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21080 }, { "timestamp": "2026-05-28 22:02:12,521", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xf8\\xe3T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\xc0\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 21081 }, { "timestamp": "2026-05-28 22:02:12,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1050" }, { "name": "y", "value": "651" } ], "repeated": 1, "id": 21082 }, { "timestamp": "2026-05-28 22:02:12,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21083 }, { "timestamp": "2026-05-28 22:02:12,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1048" }, { "name": "y", "value": "651" } ], "repeated": 0, "id": 21084 }, { "timestamp": "2026-05-28 22:02:12,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21085 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1046" }, { "name": "y", "value": "650" } ], "repeated": 0, "id": 21086 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21087 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1044" }, { "name": "y", "value": "650" } ], "repeated": 0, "id": 21088 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21089 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 21090 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1042" }, { "name": "y", "value": "650" } ], "repeated": 0, "id": 21091 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21092 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 21093 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1041" }, { "name": "y", "value": "650" } ], "repeated": 0, "id": 21094 }, { "timestamp": "2026-05-28 22:02:12,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21095 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1038" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21096 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21097 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1036" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21098 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21099 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 21100 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1035" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21101 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21102 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000aa0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 21103 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 21104 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21105 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "b1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\b1" } ], "repeated": 0, "id": 21106 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21107 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21108 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\x06\\xe4T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00i\\x00l\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 21109 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 21110 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 21111 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21112 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^b1" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^b1" } ], "repeated": 0, "id": 21113 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^b1" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1" } ], "repeated": 0, "id": 21114 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1\\2" } ], "repeated": 0, "id": 21115 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc7576ed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21116 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc757be300", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "PackageExternalLocation\\Data\\2" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2" } ], "repeated": 0, "id": 21117 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "Path" }, { "name": "Data", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path" } ], "repeated": 0, "id": 21118 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc757bdfaf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21119 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21120 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21121 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a12d2", "parentcaller": "0x7ffc756bdf5c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000aa0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 21122 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1a81", "parentcaller": "0x7ffc6a6a138a", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 21123 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bf579", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21124 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "b1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\b1" } ], "repeated": 0, "id": 21125 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bf5fd", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21126 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e2d", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21127 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc75725e8b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\x00\\xe4T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00s\\x00t\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 21128 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756bebe9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 21129 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 21130 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc756bec6d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21131 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^b1" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^b1" } ], "repeated": 0, "id": 21132 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc756be9b0", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^b1" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1" } ], "repeated": 0, "id": 21133 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1732", "parentcaller": "0x7ffc756bf7dc", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1\\2" } ], "repeated": 0, "id": 21134 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc7576ed38", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21135 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1166", "parentcaller": "0x7ffc757be300", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "PackageExternalLocation\\Data\\2" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2" } ], "repeated": 0, "id": 21136 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a15ac", "parentcaller": "0x7ffc6a6a14ff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "Path" }, { "name": "Data", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path" } ], "repeated": 0, "id": 21137 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a1651", "parentcaller": "0x7ffc757bdfaf", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21138 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a17f2", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21139 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc6a6a180b", "parentcaller": "0x7ffc756be12f", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21140 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 21141 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 21142 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 21143 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21144 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756c26e8", "parentcaller": "0x7ffc756c279b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xef\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00c\\x00r\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00t\\x00E\\x00d\\x00g\\x00e\\x00.\\x00S\\x00t\\x00a\\x00b\\x00l\\x00e\\x00_\\x001\\x004\\x008\\x00.\\x000\\x00.\\x003\\x00" } ], "repeated": 0, "id": 21145 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 21146 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 21147 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 21148 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aa0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 21149 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000aa0" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21150 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756c4086", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21151 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756c40c3", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab4" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageStatus" } ], "repeated": 0, "id": 21152 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc756c40d4", "parentcaller": "0x7ffc756c27b6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21153 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1032" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21154 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21155 }, { "timestamp": "2026-05-28 22:02:12,568", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "41FD88F7-F295-4D39-91AC-A85F3149A05B" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 4, "id": 21156 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c883e", "parentcaller": "0x7ff6c28c846b", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 21157 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c978f", "parentcaller": "0x7ff6c28c3d99", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "DBCE7E40-7345-439D-B12C-114A11819A09" }, { "name": "ClsContext", "value": "0x00000003", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER" }, { "name": "riid", "value": "130A2F65-2BE7-4309-9A58-A9052FF2B61C" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 21158 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 21159 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000ab0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 21160 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21161 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "b1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\b1" } ], "repeated": 0, "id": 21162 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21163 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Data\\b1" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1" } ], "repeated": 0, "id": 21164 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageOrigin" } ], "repeated": 0, "id": 21165 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21166 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21167 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 1, "id": 21168 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21169 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xe0\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03N\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x07\\x02x\\xfc\\x7f\\x00\\x007\\xe6\\xa8\\xf9" } ], "repeated": 0, "id": 21170 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 21171 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000720" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 21172 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000720" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 21173 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab0" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 21174 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000ab0" }, { "name": "ObjectAttributesName", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21175 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21176 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab4" }, { "name": "ValueName", "value": "PackageStatus" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageStatus" } ], "repeated": 0, "id": 21177 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21178 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 21179 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000ab0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 21180 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21181 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "b1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\b1" } ], "repeated": 0, "id": 21182 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21183 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Data\\b1" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1" } ], "repeated": 0, "id": 21184 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "PackageFullName" }, { "name": "Data", "value": "Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFullName" } ], "repeated": 0, "id": 21185 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "PackageFamily" }, { "name": "Data", "value": "30" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFamily" } ], "repeated": 0, "id": 21186 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "PackageType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageType" } ], "repeated": 0, "id": 21187 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "45089868" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags" } ], "repeated": 0, "id": 21188 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "Flags2" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags2" } ], "repeated": 0, "id": 21189 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "PackageOrigin" }, { "name": "Data", "value": "5" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageOrigin" } ], "repeated": 0, "id": 21190 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "Volume" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Volume" } ], "repeated": 0, "id": 21191 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "OSMaxVersionTested" }, { "name": "Data", "value": "\\x00\\x00aJ\\x00\\x00\n\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\OSMaxVersionTested" } ], "repeated": 0, "id": 21192 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\InstalledLocation" } ], "repeated": 0, "id": 21193 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "MutableLink" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLink" } ], "repeated": 0, "id": 21194 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "MutableLocation" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLocation" } ], "repeated": 0, "id": 21195 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "TargetDeviceFamilyName" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\TargetDeviceFamilyName" } ], "repeated": 0, "id": 21196 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21197 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21198 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21199 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion" } ], "repeated": 0, "id": 21200 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21201 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" } ], "repeated": 0, "id": 21202 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21203 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 21204 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000ab0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 21205 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21206 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "b1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\b1" } ], "repeated": 0, "id": 21207 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21208 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21209 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\x07\\xe4T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 21210 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 21211 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 21212 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21213 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^b1" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^b1" } ], "repeated": 0, "id": 21214 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^b1" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1" } ], "repeated": 0, "id": 21215 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1\\2" } ], "repeated": 0, "id": 21216 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21217 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Data\\2" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2" } ], "repeated": 0, "id": 21218 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "Path" }, { "name": "Data", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path" } ], "repeated": 0, "id": 21219 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21220 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21221 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21222 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 21223 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000ab0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 21224 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21225 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "b1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\b1" } ], "repeated": 0, "id": 21226 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21227 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21228 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xf9\\xe3T\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 21229 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 21230 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "3" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001\\3" } ], "repeated": 0, "id": 21231 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21232 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\3^b1" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^b1" } ], "repeated": 0, "id": 21233 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Index\\UserAndPackage\\0^b1" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1" } ], "repeated": 0, "id": 21234 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "2" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1\\2" } ], "repeated": 0, "id": 21235 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21236 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "PackageExternalLocation\\Data\\2" }, { "name": "Handle", "value": "0x00000a9c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2" } ], "repeated": 0, "id": 21237 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" }, { "name": "ValueName", "value": "Path" }, { "name": "Data", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path" } ], "repeated": 0, "id": 21238 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21239 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21240 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21241 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache" } ], "repeated": 0, "id": 21242 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Metadata" }, { "name": "Handle", "value": "0x00000aa0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata" } ], "repeated": 0, "id": 21243 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1030" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21244 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 21245 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegEnumKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "Name", "value": "b1" }, { "name": "Class", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\b1" } ], "repeated": 0, "id": 21246 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21247 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21248 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Package\\Data\\b1" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1" } ], "repeated": 0, "id": 21249 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "Flags" }, { "name": "Data", "value": "45089868" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags" } ], "repeated": 0, "id": 21250 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "InstalledLocation" }, { "name": "Data", "value": "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\InstalledLocation" } ], "repeated": 0, "id": 21251 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 21252 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21253 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21254 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xf0\\x00\\x00\\x00\\xf05\\x1ej\\xfc\\x7f\\x00\\x00\\x86\\xdequ\\xfc\\x7f\\x00\\x00\\x0b\\x00\\x00\\x00K\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xf0\\xdf\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 21255 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 21256 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\ResourcesConfig" }, { "name": "Handle", "value": "0x00000aa0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\ResourcesConfig" } ], "repeated": 0, "id": 21257 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21258 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000aa0" }, { "name": "ValueName", "value": "CachedMergedResourcesPriFileName" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge.stable_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName" } ], "repeated": 0, "id": 21259 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21260 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 21261 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x87\\xe4T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00(\\x87\\xe4T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x87\\xe4T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xc4\t\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21262 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 21263 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21264 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 21265 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000d4" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 21266 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000d4" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged" } ], "repeated": 0, "id": 21267 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28c96bf", "parentcaller": "0x7ff6c28c97aa", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\resources.pri" } ], "repeated": 1, "id": 21268 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28ba417", "parentcaller": "0x7ff6c28ba33d", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SmallLogo.png" } ], "repeated": 1, "id": 21269 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28ba589", "parentcaller": "0x7ff6c28ba4a3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 21270 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28ba673", "parentcaller": "0x7ff6c28ba5a8", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x000000c0" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SmallLogo.png" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21271 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21272 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21273 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21274 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 21275 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1028" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21276 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21277 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1027" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21278 }, { "timestamp": "2026-05-28 22:02:12,584", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21279 }, { "timestamp": "2026-05-28 22:02:12,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1024" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21280 }, { "timestamp": "2026-05-28 22:02:12,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21281 }, { "timestamp": "2026-05-28 22:02:12,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1013" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21282 }, { "timestamp": "2026-05-28 22:02:12,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21283 }, { "timestamp": "2026-05-28 22:02:12,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1008" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21284 }, { "timestamp": "2026-05-28 22:02:12,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21285 }, { "timestamp": "2026-05-28 22:02:12,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1006" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21286 }, { "timestamp": "2026-05-28 22:02:12,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21287 }, { "timestamp": "2026-05-28 22:02:12,631", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1004" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21288 }, { "timestamp": "2026-05-28 22:02:12,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21289 }, { "timestamp": "2026-05-28 22:02:12,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "977" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21290 }, { "timestamp": "2026-05-28 22:02:12,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21291 }, { "timestamp": "2026-05-28 22:02:12,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "974" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21292 }, { "timestamp": "2026-05-28 22:02:12,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21293 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "971" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21294 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21295 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "968" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21296 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21297 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "965" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21298 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21299 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "963" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21300 }, { "timestamp": "2026-05-28 22:02:12,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21301 }, { "timestamp": "2026-05-28 22:02:12,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "960" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21302 }, { "timestamp": "2026-05-28 22:02:12,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21303 }, { "timestamp": "2026-05-28 22:02:12,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "956" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21304 }, { "timestamp": "2026-05-28 22:02:12,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21305 }, { "timestamp": "2026-05-28 22:02:12,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "954" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21306 }, { "timestamp": "2026-05-28 22:02:12,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21307 }, { "timestamp": "2026-05-28 22:02:12,709", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "949" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21308 }, { "timestamp": "2026-05-28 22:02:12,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21309 }, { "timestamp": "2026-05-28 22:02:12,709", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "947" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21310 }, { "timestamp": "2026-05-28 22:02:12,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21311 }, { "timestamp": "2026-05-28 22:02:12,709", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "945" }, { "name": "y", "value": "648" } ], "repeated": 0, "id": 21312 }, { "timestamp": "2026-05-28 22:02:12,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21313 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "943" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21314 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21315 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "941" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21316 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21317 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "939" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21318 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21319 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "938" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21320 }, { "timestamp": "2026-05-28 22:02:12,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21321 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "936" }, { "name": "y", "value": "649" } ], "repeated": 0, "id": 21322 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21323 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "934" }, { "name": "y", "value": "650" } ], "repeated": 0, "id": 21324 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21325 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "933" }, { "name": "y", "value": "650" } ], "repeated": 0, "id": 21326 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21327 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "931" }, { "name": "y", "value": "650" } ], "repeated": 0, "id": 21328 }, { "timestamp": "2026-05-28 22:02:12,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21329 }, { "timestamp": "2026-05-28 22:02:12,756", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "929" }, { "name": "y", "value": "651" } ], "repeated": 0, "id": 21330 }, { "timestamp": "2026-05-28 22:02:12,756", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21331 }, { "timestamp": "2026-05-28 22:02:12,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "919" }, { "name": "y", "value": "653" } ], "repeated": 0, "id": 21332 }, { "timestamp": "2026-05-28 22:02:12,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21333 }, { "timestamp": "2026-05-28 22:02:12,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "918" }, { "name": "y", "value": "653" } ], "repeated": 0, "id": 21334 }, { "timestamp": "2026-05-28 22:02:12,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21335 }, { "timestamp": "2026-05-28 22:02:12,803", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "917" }, { "name": "y", "value": "653" } ], "repeated": 0, "id": 21336 }, { "timestamp": "2026-05-28 22:02:12,803", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21337 }, { "timestamp": "2026-05-28 22:02:12,803", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "916" }, { "name": "y", "value": "653" } ], "repeated": 0, "id": 21338 }, { "timestamp": "2026-05-28 22:02:12,803", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21339 }, { "timestamp": "2026-05-28 22:02:12,818", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "915" }, { "name": "y", "value": "653" } ], "repeated": 0, "id": 21340 }, { "timestamp": "2026-05-28 22:02:12,818", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21341 }, { "timestamp": "2026-05-28 22:02:12,818", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "915" }, { "name": "y", "value": "654" } ], "repeated": 0, "id": 21342 }, { "timestamp": "2026-05-28 22:02:12,865", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "914" }, { "name": "y", "value": "654" } ], "repeated": 0, "id": 21343 }, { "timestamp": "2026-05-28 22:02:12,865", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21344 }, { "timestamp": "2026-05-28 22:02:13,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21345 }, { "timestamp": "2026-05-28 22:02:13,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21346 }, { "timestamp": "2026-05-28 22:02:13,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253bac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21347 }, { "timestamp": "2026-05-28 22:02:13,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 21348 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "914" }, { "name": "y", "value": "654" } ], "repeated": 0, "id": 21349 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21350 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xdaF\\x10_\\x00\\x00\\x00\\x00\\xe2\\xbf\\x03\\xb8L\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21351 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21352 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x14\rQ_\\x00\\x00\\x00\\x00\\xd2\\x0eG\\xb8L\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21353 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21354 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xfc\\xbe\\x80\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00N\\x9f\\x84\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x004\\xe6\\xc7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x1fW \\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\x92+P\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00v\\xb0\\x10\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00x\\xee\\xf5\\x9f\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00%W \\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21355 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x92\\xcb\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00d:\\x0b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21356 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "37" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21357 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21358 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21359 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21360 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21361 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe1D\\xc8\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x11X \\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x11X \\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x95\\x84o&\\x17\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00J\\x9a\\x9b\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9cL\\xf6\\x9f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21362 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21363 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21364 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21365 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21366 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21367 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21368 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21369 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21370 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21371 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc3\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x8fl\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x8al\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd5]H\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x000\\xc3,\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00O\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21372 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21373 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xc8\\xe5u\\x00\\x00\\x00\\x00\\x00\\xb6L\t\\x00\\x00\\x00\\x00\\xd0\\xcca \\x00\\x00\\x00\\x00\\xdf/F\\x13\\x00\\x00\\x00\\x00\\xaf\\x99\\xaa\\x1f\\x00\\x00\\x00\\x00\\xcdu\\x00\\x00\\\\x0f\\x00\\x00\\x01\\x00\\x00\\x00\\xa3\\x04\\x00\\x005Z\\x9a\\xa3\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21374 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21375 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21376 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21377 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21378 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21379 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21380 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21381 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21382 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21383 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21384 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21385 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21386 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21387 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21388 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21389 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21390 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21391 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21392 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21393 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21394 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21395 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21396 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21397 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21398 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21399 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21400 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21401 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21402 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21403 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21404 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21405 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21406 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21407 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21408 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21409 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21410 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21411 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21412 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21413 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21414 }, { "timestamp": "2026-05-28 22:02:13,381", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21415 }, { "timestamp": "2026-05-28 22:02:13,396", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 1, "id": 21416 }, { "timestamp": "2026-05-28 22:02:13,506", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21417 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "914" }, { "name": "y", "value": "655" } ], "repeated": 0, "id": 21418 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21419 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "914" }, { "name": "y", "value": "656" } ], "repeated": 0, "id": 21420 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21421 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21422 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21423 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "914" }, { "name": "y", "value": "657" } ], "repeated": 0, "id": 21424 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21425 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21426 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21427 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "916" }, { "name": "y", "value": "660" } ], "repeated": 0, "id": 21428 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21429 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21430 }, { "timestamp": "2026-05-28 22:02:13,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21431 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "917" }, { "name": "y", "value": "663" } ], "repeated": 0, "id": 21432 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21433 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21434 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21435 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "920" }, { "name": "y", "value": "666" } ], "repeated": 0, "id": 21436 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21437 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21438 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21439 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "923" }, { "name": "y", "value": "669" } ], "repeated": 0, "id": 21440 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21441 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21442 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21443 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21444 }, { "timestamp": "2026-05-28 22:02:13,537", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21445 }, { "timestamp": "2026-05-28 22:02:13,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 2, "id": 21446 }, { "timestamp": "2026-05-28 22:02:13,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "962" }, { "name": "y", "value": "704" } ], "repeated": 0, "id": 21447 }, { "timestamp": "2026-05-28 22:02:13,568", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21448 }, { "timestamp": "2026-05-28 22:02:13,568", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21449 }, { "timestamp": "2026-05-28 22:02:13,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21450 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1004" }, { "name": "y", "value": "724" } ], "repeated": 0, "id": 21451 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21452 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21453 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1004" }, { "name": "y", "value": "724" } ], "repeated": 0, "id": 21454 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21455 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21456 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21457 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1007" }, { "name": "y", "value": "725" } ], "repeated": 0, "id": 21458 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21459 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21460 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21461 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1012" }, { "name": "y", "value": "726" } ], "repeated": 0, "id": 21462 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21463 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21464 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21465 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1013" }, { "name": "y", "value": "727" } ], "repeated": 0, "id": 21466 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21467 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21468 }, { "timestamp": "2026-05-28 22:02:13,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21469 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1017" }, { "name": "y", "value": "728" } ], "repeated": 0, "id": 21470 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21471 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21472 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21473 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1020" }, { "name": "y", "value": "729" } ], "repeated": 0, "id": 21474 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21475 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21476 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21477 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1024" }, { "name": "y", "value": "731" } ], "repeated": 0, "id": 21478 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21479 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21480 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21481 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1028" }, { "name": "y", "value": "731" } ], "repeated": 0, "id": 21482 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21483 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21484 }, { "timestamp": "2026-05-28 22:02:13,631", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21485 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1032" }, { "name": "y", "value": "733" } ], "repeated": 0, "id": 21486 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21487 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21488 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21489 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1035" }, { "name": "y", "value": "735" } ], "repeated": 0, "id": 21490 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21491 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21492 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21493 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1039" }, { "name": "y", "value": "738" } ], "repeated": 0, "id": 21494 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21495 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21496 }, { "timestamp": "2026-05-28 22:02:13,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21497 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1042" }, { "name": "y", "value": "738" } ], "repeated": 0, "id": 21498 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21499 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21500 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21501 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1050" }, { "name": "y", "value": "743" } ], "repeated": 0, "id": 21502 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21503 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21504 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21505 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1055" }, { "name": "y", "value": "746" } ], "repeated": 0, "id": 21506 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21507 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21508 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21509 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1061" }, { "name": "y", "value": "750" } ], "repeated": 0, "id": 21510 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21511 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21512 }, { "timestamp": "2026-05-28 22:02:13,662", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21513 }, { "timestamp": "2026-05-28 22:02:13,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1068" }, { "name": "y", "value": "754" } ], "repeated": 0, "id": 21514 }, { "timestamp": "2026-05-28 22:02:13,678", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21515 }, { "timestamp": "2026-05-28 22:02:13,678", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21516 }, { "timestamp": "2026-05-28 22:02:13,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 2, "id": 21517 }, { "timestamp": "2026-05-28 22:02:13,709", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21518 }, { "timestamp": "2026-05-28 22:02:13,709", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 21519 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x0e\\x03r_\\x00\\x00\\x00\\x00\\x98|\\xa2\\x96M\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21520 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21521 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x08)\\xb6_\\x00\\x00\\x00\\x00\\xe0*\\xe8\\x96M\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21522 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21523 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xa8\\x01\\x87\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdb\\x08\\x13\\xa4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc8\\x00*\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\x92+P\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00v\\xb0\\x10\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00.3k\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xce\\x00*\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21524 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xfa\\xdb\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00^d\\x0b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21525 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21526 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21527 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21528 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21529 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21530 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x1c`\\x13\\xa4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xa7\\x01*\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xa7\\x01*\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00$k\\xd4\\x9f\\x17\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xa4\\x08\\xa4\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00]\\x89k\\xa3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21531 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21532 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21533 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21534 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21535 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21536 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21537 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21538 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21539 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21540 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00%\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xf1l\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xecl\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd3\\xd6S\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xdd\\xda,\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00P\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21541 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21542 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x000\\xf6u\\x00\\x00\\x00\\x00\\x00X\\x86\t\\x00\\x00\\x00\\x00\\xf2\\xa7w \\x00\\x00\\x00\\x005{\\xb4\\x13\\x00\\x00\\x00\\x00%{\\x05 \\x00\\x00\\x00\\x00\\x13v\\x00\\x00\\xdb\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\x04\\x00\\x00*\\xd84\\xa4\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21543 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21544 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21545 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21546 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21547 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21548 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21549 }, { "timestamp": "2026-05-28 22:02:14,381", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21550 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21551 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21552 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21553 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21554 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21555 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21556 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21557 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21558 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21559 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21560 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21561 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21562 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21563 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21564 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21565 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21566 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21567 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21568 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21569 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21570 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21571 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21572 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21573 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21574 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21575 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21576 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21577 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21578 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21579 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21580 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21581 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21582 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21583 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "608", "caller": "0x7ffc767aa933", "parentcaller": "0x7ff6c28d9e90", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21584 }, { "timestamp": "2026-05-28 22:02:14,396", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21585 }, { "timestamp": "2026-05-28 22:02:14,568", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21586 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": " k\\xd5_\\x00\\x00\\x00\\x00\\xa6\\x1eppN\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21587 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21588 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x0c&%`\\x00\\x00\\x00\\x00\\xf8.\\xc5pN\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21589 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21590 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xa8\\x01\\x87\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00LQ\\x13\\xa7\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00~u3\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00v\\xb0\\x10\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb8,\\xcf\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x83u3\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21591 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b>\\xe6\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xe6\\x90\\x0b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21592 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21593 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21594 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21595 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21596 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21597 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc0\\xcf\\x11\\xa7\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xa3q3\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xa3q3\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xd0@/\\x0e\\x18\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xb8\\xb2\\xab\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00d\\x84\\xcf\\xa6\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21598 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21599 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21600 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21601 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21602 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21603 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21604 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21605 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21606 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21607 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00>\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x07m\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x02m\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe6\\xd5T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd5\\xe0,\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00Q\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21608 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 21609 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00t\\x00v\\x00\\x00\\x00\\x00\\x00\\xe0\\xb2\t\\x00\\x00\\x00\\x00k\\xdf\\x80 \\x00\\x00\\x00\\x00\\x16x\\xf8\\x13\\x00\\x00\\x00\\x00\\xc0\\xd3q \\x00\\x00\\x00\\x00?v\\x00\\x001\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xb2\\x04\\x00\\x00\\xc2'\\xcd\\xa4\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21610 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21611 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21612 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21613 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21614 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21615 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21616 }, { "timestamp": "2026-05-28 22:02:15,381", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21617 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21618 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21619 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21620 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21621 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21622 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21623 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21624 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21625 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21626 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21627 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21628 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21629 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21630 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21631 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21632 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21633 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21634 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21635 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21636 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21637 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21638 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21639 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21640 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21641 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21642 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21643 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21644 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21645 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21646 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21647 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21648 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21649 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21650 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21651 }, { "timestamp": "2026-05-28 22:02:15,396", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21652 }, { "timestamp": "2026-05-28 22:02:15,490", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21653 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x9e\\x99I`\\x00\\x00\\x00\\x00T\\x82\\x84LO\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21654 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21655 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "4?\\x87`\\x00\\x00\\x00\\x00\\xc2\\x88\\xc5LO\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21656 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21657 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xa8\\x01\\x87\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9e\\xf7G\\xa9\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xef\\x01=\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00v\\xb0\\x10\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xda\\xef\\x92\\xa9\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xf4\\x01=\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21658 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b>\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x08\\xbf\\x0b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21659 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21660 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21661 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21662 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21663 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21664 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21665 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x03\\xd3F\\xa9\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x02\\xff<\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x02\\xff<\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00p\\x9f\\x89_\\x18\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00&Y\\xb1\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00YD\\x93\\xa9\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21666 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21667 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21668 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21669 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21670 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21671 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21672 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21673 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21674 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21675 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00C\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x0em\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\tm\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb4\\xd7T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00%\\xe3,\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00R\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21676 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21677 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00t\\x01v\\x00\\x00\\x00\\x00\\x00\\x02\\xe1\t\\x00\\x00\\x00\\x00\\x08\\xed\\x80 \\x00\\x00\\x00\\x00m\\xbc\\x18\\x14\\x00\\x00\\x00\\x00\\x9a\\xd8\\xf0 \\x00\\x00\\x00\\x00Bv\\x00\\x00@\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xb9\\x04\\x00\\x00\\x7f\\xe5e\\xa5\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21678 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21679 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21680 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21681 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21682 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21683 }, { "timestamp": "2026-05-28 22:02:16,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21684 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21685 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21686 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21687 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21688 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21689 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21690 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21691 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21692 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21693 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21694 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21695 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21696 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21697 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21698 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21699 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21700 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21701 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21702 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21703 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21704 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21705 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21706 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21707 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21708 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21709 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21710 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21711 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21712 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21713 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21714 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21715 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21716 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21717 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21718 }, { "timestamp": "2026-05-28 22:02:16,396", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21719 }, { "timestamp": "2026-05-28 22:02:16,506", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21720 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "T\\x8a\\xa9`\\x00\\x00\\x00\\x00>B\\xb8'P\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21721 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21722 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x90O\\xfb`\\x00\\x00\\x00\\x00,\\x08\n(P\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21723 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21724 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xa8\\x01\\x87\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00h\\x9fy\\xab\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00M\\x86F\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00v\\xb0\\x10\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xcb\\xe4k\\xac\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00S\\x86F\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21725 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bJ\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xf4\\xc0\\x0b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21726 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21727 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21728 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21729 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21730 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21731 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x02\\x17z\\xab\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x7f\\x87F\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x7f\\x87F\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xdb\\x97\\xa3\\xb0\\x18\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x1c\\xfb\\xb6\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x91[l\\xac\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21732 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21733 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21734 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21735 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21736 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21737 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21738 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21739 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21740 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21741 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00d\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00tn\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00on\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa8\\xe1T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00h\\x8f4\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00S\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21742 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21743 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x80\\x01v\\x00\\x00\\x00\\x00\\x00\\xee\\xe2\t\\x00\\x00\\x00\\x00\\x1a`\\x81 \\x00\\x00\\x00\\x00\\x1bS\"\\x14\\x00\\x00\\x00\\x00)\\xf9}!\\x00\\x00\\x00\\x00Hv\\x00\\x00S\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xbd\\x04\\x00\\x00G\\xc8\\xfd\\xa5\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21744 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21745 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21746 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21747 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21748 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21749 }, { "timestamp": "2026-05-28 22:02:17,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21750 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21751 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21752 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21753 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21754 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21755 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21756 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21757 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21758 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21759 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21760 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21761 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21762 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21763 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21764 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21765 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21766 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21767 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21768 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21769 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21770 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21771 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21772 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21773 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21774 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21775 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21776 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21777 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21778 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21779 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21780 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21781 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21782 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21783 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21784 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21785 }, { "timestamp": "2026-05-28 22:02:17,412", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21786 }, { "timestamp": "2026-05-28 22:02:17,490", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21787 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xeea a\\x00\\x00\\x00\\x00\\x92C\\xd2\\x02Q\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21788 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21789 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xee\\xb6fa\\x00\\x00\\x00\\x00\\xa6\\xe9\\x1a\\x03Q\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21790 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21791 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xa8\\x01\\x87\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb4\\xf1.\\xad\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00V\\x08P\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xd0\\x12\\x13\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xbd\\xea\\x9a\\xaf\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00]\\x08P\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21792 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bJ\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xf4\\xe0\\x0b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21793 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21794 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21795 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21796 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21797 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21798 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\"e/\\xad\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00~\tP\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00~\tP\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00[\\xa9\\x9a\\xef\\x18\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x9cZ\\xbb\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00J]\\x9b\\xaf\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21799 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21800 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21801 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21802 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21803 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21804 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21805 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21806 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21807 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21808 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a9c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00n\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x7fn\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00zn\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x99\\xe4T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb9\\x924\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00T\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21809 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21810 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x80\\x01v\\x00\\x00\\x00\\x00\\x00\\xee\\x02\n\\x00\\x00\\x00\\x00\\x1a`\\x81 \\x00\\x00\\x00\\x00\\xf9\\x030\\x14\\x00\\x00\\x00\\x00\\xe4d\\x08\"\\x00\\x00\\x00\\x00Hv\\x00\\x00U\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xbd\\x04\\x00\\x00g\\xfa\\x95\\xa6\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21811 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21812 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21813 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21814 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21815 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21816 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21817 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21818 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21819 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21820 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21821 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21822 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21823 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21824 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21825 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21826 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21827 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21828 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21829 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21830 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21831 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21832 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21833 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21834 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21835 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21836 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21837 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21838 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21839 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21840 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21841 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21842 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21843 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21844 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21845 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21846 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21847 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21848 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21849 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21850 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21851 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21852 }, { "timestamp": "2026-05-28 22:02:18,381", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21853 }, { "timestamp": "2026-05-28 22:02:18,490", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21854 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x9c\\x0b\\x8da\\x00\\x00\\x00\\x00\\xf0\\xd0\\x92\\xe1Q\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21855 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21856 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "R@\\xdba\\x00\\x00\\x00\\x00\\xa8T\\xe3\\xe1Q\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21857 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21858 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x02d\\x89\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd4=\\xcc\\xae\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xb2\\xb3Y\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xd0\\x12\\x13\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00bC\\xcb\\xb2\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xb9\\xb3Y\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21859 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bJ\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xe2\\xf8\\x0b\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21860 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21861 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21862 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21863 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21864 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21865 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00.\\xd3\\xca\\xae\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x11\\xb0Y\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x11\\xb0Y\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x8d\\xf7\\xd7*\\x19\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xdfw\\xbf\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x17\\xc0\\xcb\\xb2\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21866 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21867 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21868 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21869 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21870 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21871 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21872 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21873 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21874 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21875 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a9c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00v\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x88n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x83n\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x1c\\xe7T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x8d\\x954\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00U\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21876 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 21877 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x80\\x01v\\x00\\x00\\x00\\x00\\x00\\xdc\\x1a\n\\x00\\x00\\x00\\x00\\x1a`\\x81 \\x00\\x00\\x00\\x007\\xbda\\x14\\x00\\x00\\x00\\x00\\x9b\\x1a|\"\\x00\\x00\\x00\\x00Hv\\x00\\x00\\x87\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00T\\xa80\\xa7\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21878 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21879 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21880 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21881 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21882 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21883 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21884 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21885 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557a7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21886 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557a9000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21887 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21888 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21889 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21890 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21891 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21892 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21893 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21894 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21895 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21896 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21897 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21898 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21899 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21900 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21901 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21902 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21903 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21904 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21905 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21906 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21907 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21908 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21909 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21910 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21911 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21912 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21913 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21914 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21915 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21916 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21917 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21918 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21919 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21920 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21921 }, { "timestamp": "2026-05-28 22:02:19,396", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21922 }, { "timestamp": "2026-05-28 22:02:19,506", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21923 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "V\\x1f\\x04b\\x00\\x00\\x00\\x00h\\xec\\xd8\\xbfR\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21924 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21925 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "6sLb\\x00\\x00\\x00\\x00\\x84\\xdf$\\xc0R\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21926 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21927 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x02d\\x89\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb0]\\x96\\xb0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x004Yc\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xd0\\x12\\x13\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00$\\x85\\x02\\xb6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00:Yc\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21928 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xc0\\x17\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21929 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21930 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21931 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21932 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21933 }, { "timestamp": "2026-05-28 22:02:20,396", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21934 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdc\\xde\\x96\\xb0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x7fZc\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x7fZc\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xaa?\\x15m\\x19\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x97\\x11\\xc4\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x8f\\x05\\x03\\xb6\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21935 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21936 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 21937 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 21938 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 21939 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21940 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21941 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21942 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21943 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 21944 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00}\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x90n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x8bn\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00X\\xe9T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x1c\\x984\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00V\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21945 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 21946 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00\\xba9\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00\\x91}u\\x14\\x00\\x00\\x00\\x00\\xbb\\xaf\\x02#\\x00\\x00\\x00\\x00Iv\\x00\\x00\\x99\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00tR\\xcb\\xa7\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21947 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 21948 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 21949 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 21950 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 21951 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 21952 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21953 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557ab000" }, { "name": "RegionSize", "value": "0x00009000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21954 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 21955 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21956 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21957 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21958 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21959 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21960 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21961 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21962 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21963 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21964 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21965 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 21966 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21967 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21968 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21969 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21970 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21971 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21972 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21973 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21974 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21975 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21976 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21977 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21978 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21979 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21980 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21981 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 21982 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 21983 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 21984 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 21985 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 21986 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 21987 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 21988 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 21989 }, { "timestamp": "2026-05-28 22:02:20,412", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21990 }, { "timestamp": "2026-05-28 22:02:20,725", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 21991 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "N\\xb0tb\\x00\\x00\\x00\\x00\\xfe\\xf2\\xa1\\x9dS\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21992 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 21993 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb6l\\xbfb\\x00\\x00\\x00\\x00hx\\xf0\\x9dS\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 21994 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 21995 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\\\xc6\\x8b\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x0c\tY\\xb4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xa3\\xf9l\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x84\\xd7\\x17\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x870\\xc5\\xb9\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xa9\\xf9l\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 21996 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xe0(\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 21997 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 21998 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 21999 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22000 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22001 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22002 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x02\\x9fW\\xb4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x04\\xf6l\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x04\\xf6l\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xdb\\x83j\\xf7\\x19\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x1c\\xad\\xcd\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xf8\\x98\\xc5\\xb9\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22003 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22004 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22005 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22006 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22007 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22008 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22009 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22010 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22011 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22012 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x7f\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x93n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x8en\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd0\\xe9T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00s\\x994\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00W\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22013 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22014 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00\\xdaJ\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00RK}\\x14\\x00\\x00\\x00\\x00\\xa2-\\x94#\\x00\\x00\\x00\\x00Iv\\x00\\x00\\x9d\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00a{e\\xa8\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22015 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22016 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22017 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22018 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22019 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22020 }, { "timestamp": "2026-05-28 22:02:21,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22021 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22022 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22023 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22024 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22025 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22026 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22027 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22028 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22029 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22030 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22031 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22032 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22033 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22034 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22035 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22036 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22037 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22038 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22039 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22040 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22041 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22042 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22043 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22044 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22045 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22046 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22047 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22048 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22049 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22050 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22051 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22052 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22053 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22054 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22055 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22056 }, { "timestamp": "2026-05-28 22:02:21,428", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22057 }, { "timestamp": "2026-05-28 22:02:21,600", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22058 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "l\\xae\\xe1b\\x00\\x00\\x00\\x00\\xe0\\x10\\x03yT\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22059 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22060 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "dE'c\\x00\\x00\\x00\\x00JPLyT\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22061 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22062 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb6(\\x8e\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00r \\x11\\xb8\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xfe~v\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x84\\xd7\\x17\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00dH}\\xbd\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x04\\x7fv\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22063 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xe0H\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22064 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22065 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22066 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22067 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22068 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22069 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00e\\x9a\\x11\\xb8\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x006\\x80v\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x006\\x80v\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00`J\\xc6\\x80\\x1a\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00N7\\xd7\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xba\\xc1}\\xbd\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22070 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22071 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22072 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22073 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22074 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22075 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22076 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22077 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22078 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22079 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x84\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x96n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x91n\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa3\\xebT\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00'\\x9a4\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00X\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22080 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22081 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00\\xdaj\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00Xo\\x8c\\x14\\x00\\x00\\x00\\x00\\xf1j\\x1d$\\x00\\x00\\x00\\x00Iv\\x00\\x00\\x9f\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00\\x97\\xd1\\xfd\\xa8\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22082 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22083 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22084 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22085 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22086 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22087 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22088 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557b4000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22089 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22090 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22091 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22092 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22093 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22094 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22095 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22096 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22097 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22098 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22099 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22100 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22101 }, { "timestamp": "2026-05-28 22:02:22,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22102 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22103 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22104 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22105 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22106 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22107 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22108 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22109 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22110 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22111 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22112 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22113 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22114 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22115 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22116 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22117 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22118 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22119 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22120 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22121 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22122 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22123 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22124 }, { "timestamp": "2026-05-28 22:02:22,428", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22125 }, { "timestamp": "2026-05-28 22:02:22,693", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22126 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "L\\xa3Nc\\x00\\x00\\x00\\x00\\xeeV\\x82UU\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22127 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22128 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xf4\\xf9\\x99c\\x00\\x00\\x00\\x00~\\x81\\xceUU\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22129 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22130 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00j\\xed\\x92\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00m+\\xce\\xbb\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x05\\x11\\x80\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x84\\xd7\\x17\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xbcS:\\xc1\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\r\\x11\\x80\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22131 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xc0i\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22132 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22133 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22134 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22135 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22136 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22137 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xde\\xd0\\xcc\\xbb\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x8e\r\\x80\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x8e\r\\x80\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\noO\n\\x1b\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xa6\\xc4\\xe0\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x10\\xaa:\\xc1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22138 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22139 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22140 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22141 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22142 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22143 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22144 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22145 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22146 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22147 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x8b\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x9en\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x99n\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xde\\xedT\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb9\\x9c4\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00Y\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22148 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22149 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00\\xba\\x8b\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00L=\\x9c\\x14\\x00\\x00\\x00\\x00\r\\xde\\xa5$\\x00\\x00\\x00\\x00Iv\\x00\\x00\\xa4\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00\\xeb\\x15\\x97\\xa9\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22150 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22151 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22152 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22153 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22154 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22155 }, { "timestamp": "2026-05-28 22:02:23,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22156 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22157 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22158 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22159 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22160 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22161 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22162 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22163 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22164 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22165 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22166 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22167 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22168 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22169 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22170 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22171 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22172 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22173 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22174 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22175 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22176 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22177 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22178 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22179 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22180 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22181 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22182 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22183 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22184 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22185 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22186 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22187 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22188 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22189 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22190 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22191 }, { "timestamp": "2026-05-28 22:02:23,428", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22192 }, { "timestamp": "2026-05-28 22:02:23,662", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22193 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xfe:\\xbcc\\x00\\x00\\x00\\x00N\\xe2W0V\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22194 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22195 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "^\\xb6 d\\x00\\x00\\x00\\x00^.\\xc50V\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22196 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22197 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00j\\xed\\x92\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd6\\x8a\\x84\\xbf\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xfa\\x91\\x89\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xde9\\x1a\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x001\\xb2\\xf0\\xc4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xff\\x91\\x89\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22198 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xc0\\x89\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22199 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22200 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22201 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22202 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22203 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22204 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00E\\xd7\\x83\\xbf\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00.\\x90\\x89\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00.\\x90\\x89\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x0007>\\x93\\x1b\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00FG\\xea\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00 3\\xf1\\xc4\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22205 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22206 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22207 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22208 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22209 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22210 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22211 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22212 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22213 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22214 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x91\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xa4n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x9fn\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe2\\xefT\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc4\\x9e4\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00Z\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22215 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22216 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00\\xba\\xab\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00\\xabw\\xab\\x14\\x00\\x00\\x00\\x00\\xf0\\x94.%\\x00\\x00\\x00\\x00Iv\\x00\\x00\\xa6\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00\\x82\\xec.\\xaa\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22217 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22218 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22219 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22220 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22221 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22222 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22223 }, { "timestamp": "2026-05-28 22:02:24,412", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22224 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22225 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22226 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22227 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22228 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22229 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22230 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22231 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22232 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22233 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22234 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22235 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22236 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22237 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22238 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22239 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22240 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22241 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22242 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22243 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22244 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22245 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22246 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22247 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22248 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22249 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22250 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22251 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22252 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22253 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22254 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22255 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22256 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22257 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22258 }, { "timestamp": "2026-05-28 22:02:24,428", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22259 }, { "timestamp": "2026-05-28 22:02:24,631", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22260 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb2\\x87Md\\x00\\x00\\x00\\x00@ P\\x0cW\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22261 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22262 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "Z\\xc1\\x8fd\\x00\\x00\\x00\\x00\\xc8\\xc1\\x95\\x0cW\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22263 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22264 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00j\\xed\\x92\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xac\\x95>\\xc3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00S\\x1c\\x93\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xec\\x8dR\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x008\\x9c\\x1c\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00@\\xbd\\xaa\\xc8\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00Y\\x1c\\x93\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22265 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x000\\xaa\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22266 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22267 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22268 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22269 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22270 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22271 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xceZ=\\xc3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00-\\x19\\x93\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00-\\x19\\x93\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x17\\xbc\\x88\\x1c\\x1c\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00E\\xd0\\xf3\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa3\\x1a\\xab\\xc8\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22272 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22273 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22274 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22275 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22276 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22277 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22278 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22279 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22280 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22281 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x93\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xa8n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa3n\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00k\\xf0T\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00_\\xa04\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00[\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22282 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22283 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00*\\xcc\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00\\x7fy\\xba\\x14\\x00\\x00\\x00\\x00\\xfd\\x17\\xb7%\\x00\\x00\\x00\\x00Iv\\x00\\x00\\xaa\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00<\\x8e\\xc7\\xaa\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22284 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22285 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22286 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22287 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22288 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22289 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22290 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22291 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22292 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22293 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22294 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22295 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22296 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22297 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22298 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22299 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22300 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22301 }, { "timestamp": "2026-05-28 22:02:25,412", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22302 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22303 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22304 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22305 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22306 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22307 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22308 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22309 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22310 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22311 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22312 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22313 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22314 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22315 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22316 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22317 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22318 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22319 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22320 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22321 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22322 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22323 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22324 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22325 }, { "timestamp": "2026-05-28 22:02:25,428", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22326 }, { "timestamp": "2026-05-28 22:02:25,584", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22327 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "&\\x8e\\xb0d\\x00\\x00\\x00\\x00D\\xf4\\xe0\\xe6W\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22328 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22329 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "x\\xe2\\x1ae\\x00\\x00\\x00\\x00.ZS\\xe7W\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22330 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22331 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00j\\xed\\x92\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xcb\\xfb\\xf3\\xc6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc9\\x9a\\x9c\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00F\\xc3#\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00`*`\\xcc\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xe1\\x9a\\x9c\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22332 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00@\\xaa\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22333 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22334 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22335 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9c\\xfd\\xf1\\xc6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xaf\\x95\\x9c\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xaf\\x95\\x9c\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xcat\\x1f\\xa5\\x1c\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xc7L\\xfd\\x01o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00z+`\\xcc\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22336 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22337 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22338 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22339 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22340 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22341 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22342 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22343 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22344 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22345 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22346 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22347 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22348 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x99\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xadn\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa8n\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00`\\x98U\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00 \\xa24\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00\\\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22349 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22350 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00:\\xcc\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00)\\x04\\xbc\\x14\\x00\\x00\\x00\\x00\\x97xM&\\x00\\x00\\x00\\x00Iv\\x00\\x00\\xab\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x04\\x00\\x00\\xa5z_\\xab\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22351 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22352 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22353 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22354 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22355 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22356 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22357 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22358 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22359 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22360 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22361 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22362 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22363 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22364 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22365 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22366 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22367 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22368 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22369 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22370 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22371 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22372 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22373 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22374 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22375 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22376 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22377 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22378 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22379 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22380 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22381 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22382 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22383 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22384 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22385 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22386 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22387 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22388 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22389 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22390 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22391 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22392 }, { "timestamp": "2026-05-28 22:02:26,412", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22393 }, { "timestamp": "2026-05-28 22:02:26,771", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22394 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\\\xeeGe\\x00\\x00\\x00\\x00\\x8a\\x91\\x1c\\xc3X\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22395 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22396 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "z\\x88\\x87e\\x00\\x00\\x00\\x00dh_\\xc3X\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22397 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22398 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x1e\\xb2\\x97\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9e\\x0b\\xaf\\xca\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xbe'\\xa6\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00F\\xc3#\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x893\\x1b\\xd0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc5'\\xa6\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22399 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xca\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00,\\xcc\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22400 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22401 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22402 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22403 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22404 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22405 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00Mq\\xaf\\xca\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc3(\\xa6\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xc3(\\xa6\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00B\"\\xfb.\\x1d\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xda\\xdf\\x06\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x00\\x99\\x1b\\xd0\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22406 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22407 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22408 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22409 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22410 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22411 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22412 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22413 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22414 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22415 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xa8\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xfdn\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf8n\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00`\\x9dU\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00126\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00]\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22416 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22417 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x02v\\x00\\x00\\x00\\x00\\x00&\\xee\n\\x00\\x00\\x00\\x00\\xd2e\\x81 \\x00\\x00\\x00\\x00b.\\xcd\\x14\\x00\\x00\\x00\\x00MC\\xc1&\\x00\\x00\\x00\\x00Iv\\x00\\x00\\xb8\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\x04\\x00\\x00\\xf7B\\xf8\\xab\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22418 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22419 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22420 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22421 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22422 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22423 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22424 }, { "timestamp": "2026-05-28 22:02:27,412", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22425 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22426 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22427 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22428 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22429 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22430 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22431 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22432 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22433 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22434 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22435 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22436 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22437 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22438 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22439 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22440 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22441 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22442 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22443 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22444 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22445 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22446 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22447 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22448 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22449 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22450 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22451 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22452 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22453 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22454 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22455 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22456 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22457 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22458 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22459 }, { "timestamp": "2026-05-28 22:02:27,428", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22460 }, { "timestamp": "2026-05-28 22:02:27,834", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22461 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "f\\xf8\\xaae\\x00\\x00\\x00\\x004\\x8a\\x1d\\xa3Y\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22462 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22463 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x18\\x9b\\xece\\x00\\x00\\x00\\x00n\\xa6b\\xa3Y\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22464 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22465 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00x\\x14\\x9a\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xfcP{\\xce\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc2\\xe0\\xaf\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00F\\xc3#\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00qx\\xe7\\xd3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc7\\xe0\\xaf\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22466 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xce\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x002\\xee\\x0c\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22467 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22468 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22469 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22470 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22471 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22472 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00+\\x19z\\xce\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xa4\\xdd\\xaf\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xa4\\xdd\\xaf\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x01\\x81\\xbd\\xba\\x1d\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xbb\\x94\\x10\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x8e\\xec\\xe7\\xd3\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22473 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22474 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22475 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22476 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22477 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22478 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22479 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22480 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22481 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22482 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a9c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xb6\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xaeo\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa9o\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb3\\xa2U\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xdb\\x01:\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00^\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22483 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22484 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x04\\x02v\\x00\\x00\\x00\\x00\\x00,\\x10\\x0b\\x00\\x00\\x00\\x000m\\x81 \\x00\\x00\\x00\\x00X\\x90\\xdd\\x14\\x00\\x00\\x00\\x00\\x03gL'\\x00\\x00\\x00\\x00Kv\\x00\\x00\\xbc\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\x04\\x00\\x00\\x85\\xd1\\x93\\xac\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22485 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22486 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22487 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22488 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22489 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22490 }, { "timestamp": "2026-05-28 22:02:28,428", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22491 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22492 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22493 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22494 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22495 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22496 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22497 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22498 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22499 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22500 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22501 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22502 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22503 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22504 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22505 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22506 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22507 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22508 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22509 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22510 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22511 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22512 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22513 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22514 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22515 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22516 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22517 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22518 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22519 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22520 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22521 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22522 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22523 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22524 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22525 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22526 }, { "timestamp": "2026-05-28 22:02:28,443", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22527 }, { "timestamp": "2026-05-28 22:02:28,725", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22528 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x92-\\x13f\\x00\\x00\\x00\\x00hd\\x06\\x83Z\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22529 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22530 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\n\\xb5Wf\\x00\\x00\\x00\\x00\\x9c/N\\x83Z\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22531 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22532 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xd2v\\x9c\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00B6G\\xd2\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xcf\\x98\\xb9\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00F\\xc3#\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb7]\\xb3\\xd7\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd5\\x98\\xb9\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22533 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xd2\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00&\\x0f\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22534 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22535 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22536 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22537 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22538 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22539 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00t\\x99G\\xd2\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xcd\\x99\\xb9\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xcd\\x99\\xb9\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00>\\xc1\\xe8F\\x1e\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xe5P\\x1a\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x0e\\xc0\\xb3\\xd7\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22540 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22541 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22542 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22543 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22544 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22545 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22546 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22547 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22548 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22549 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a9c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc1\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xeeo\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe9o\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00-\\xa7U\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x113;\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00_\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22550 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22551 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x08\\x02v\\x00\\x00\\x00\\x00\\x00 1\\x0b\\x00\\x00\\x00\\x00\rw\\x81 \\x00\\x00\\x00\\x00w}\\xea\\x14\\x00\\x00\\x00\\x00w\\x9e\\xd8'\\x00\\x00\\x00\\x00Mv\\x00\\x00\\xc9\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x04\\x00\\x00_O/\\xad\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22552 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22553 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22554 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22555 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22556 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22557 }, { "timestamp": "2026-05-28 22:02:29,443", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22558 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22559 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22560 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22561 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22562 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22563 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22564 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22565 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22566 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22567 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22568 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22569 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22570 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22571 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22572 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22573 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22574 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22575 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22576 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22577 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22578 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22579 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22580 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22581 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22582 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22583 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22584 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22585 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22586 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22587 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22588 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22589 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22590 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22591 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22592 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22593 }, { "timestamp": "2026-05-28 22:02:29,459", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22594 }, { "timestamp": "2026-05-28 22:02:29,771", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22595 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "dmzf\\x00\\x00\\x00\\x00&\\x00\\x98a[\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22596 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22597 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\"\\xf1\\xcdf\\x00\\x00\\x00\\x00f\\x85\\xeba[\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22598 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22599 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x86;\\xa1\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x14\\x96\r\\xd6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xbaB\\xc3\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00F\\xc3#\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xf9\\xbdy\\xdb\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc1B\\xc3\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22600 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xe4\\xe7\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00(\\x1f\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22601 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22602 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22603 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22604 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22605 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22606 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xf5\\x96\r\\xd6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xbdB\\xc3\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xbdB\\xc3\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xde'\\xff\\xd1\\x1e\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xd4\\xf9#\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9e\\x13z\\xdb\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22607 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22608 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22609 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22610 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22611 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22612 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22613 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22614 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22615 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22616 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc9\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xf6o\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf1o\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc0\\xa9U\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x9d5;\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00`\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22617 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22618 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x1a\\x02v\\x00\\x00\\x00\\x00\\x00\"1\\x0b\\x00\\x00\\x00\\x00\\x9d\\x83\\x81 \\x00\\x00\\x00\\x00\\xef\\x81\\xea\\x14\\x00\\x00\\x00\\x00{$l(\\x00\\x00\\x00\\x00Ov\\x00\\x00\\xca\\x10\\x00\\x00\\x01\\x00\\x00\\x00\\xd1\\x04\\x00\\x00\\x1a\\xf2\\xc9\\xad\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22619 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22620 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22621 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22622 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22623 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22624 }, { "timestamp": "2026-05-28 22:02:30,459", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22625 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22626 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22627 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22628 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22629 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22630 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22631 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22632 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22633 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22634 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22635 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22636 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22637 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22638 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22639 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22640 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22641 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22642 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22643 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22644 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22645 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22646 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22647 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22648 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22649 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22650 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22651 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22652 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22653 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22654 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22655 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22656 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22657 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22658 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22659 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22660 }, { "timestamp": "2026-05-28 22:02:30,475", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22661 }, { "timestamp": "2026-05-28 22:02:30,678", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22662 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "t\\xf9\\xf0f\\x00\\x00\\x00\\x00<%7=\\\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22663 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22664 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xd0\":g\\x00\\x00\\x00\\x00^;\\x86=\\\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22665 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22666 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xe0\\x9d\\xa3\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x87\\x8c\\xc6\\xd9\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00P\\xca\\xcc\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x1b\\xb42\\xdf\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00V\\xca\\xcc\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22667 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xa2\\xe8\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xfa0\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22668 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22669 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22670 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22671 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22672 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22673 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe3\\xeb\\xc6\\xd9\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00D\\xcb\\xcc\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00D\\xcb\\xcc\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xdb\\xf6B[\\x1f\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\\\x82-\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x8a\\x123\\xdf\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22674 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22675 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22676 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22677 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22678 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22679 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22680 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22681 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22682 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a9c" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22683 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a9c" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xcc\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xfao\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf5o\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xef\\xaaU\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x0007;\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00a\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22684 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22685 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xd8\\x02v\\x00\\x00\\x00\\x00\\x00\\xf4R\\x0b\\x00\\x00\\x00\\x00\\xdf\\x9f\\x81 \\x00\\x00\\x00\\x00\\xa7@\\xf9\\x14\\x00\\x00\\x00\\x00\\xa8\\x16\\xfc(\\x00\\x00\\x00\\x00Rv\\x00\\x00\\xd0\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x04\\x00\\x00\\xeb\\x82b\\xae\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22686 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22687 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22688 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22689 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22690 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22691 }, { "timestamp": "2026-05-28 22:02:31,459", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22692 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22693 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22694 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22695 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22696 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22697 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22698 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22699 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22700 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22701 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22702 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22703 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22704 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22705 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22706 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22707 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22708 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22709 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22710 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22711 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22712 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22713 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22714 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22715 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22716 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22717 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22718 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22719 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22720 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22721 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22722 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22723 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22724 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22725 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22726 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22727 }, { "timestamp": "2026-05-28 22:02:31,475", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22728 }, { "timestamp": "2026-05-28 22:02:31,928", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22729 }, { "timestamp": "2026-05-28 22:02:32,459", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x92\\xc6Yg\\x00\\x00\\x00\\x00\\xf0\\xe5m\\x1a]\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22730 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22731 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xd8\\x03\\x9fg\\x00\\x00\\x00\\x00\"P\\xb6\\x1a]\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22732 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22733 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00:\\x00\\xa6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x85\\x95\\x86\\xdd\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x01d\\xd6\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x1f\\xbd\\xf2\\xe2\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x06d\\xd6\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22734 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xa0\\xe9\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00bS\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22735 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22736 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22737 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22738 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 22739 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22740 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00l\\xfa\\x86\\xdd\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x03e\\xd6\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x03e\\xd6\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00B\\xa8~\\xe5\\x1f\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x1b\\x1c7\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa9\"\\xf3\\xe2\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22741 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22742 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22743 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22744 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22745 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22746 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22747 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22748 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22749 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22750 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a84" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe0\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xa8p\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa3p\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x01\\xc5U\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00W\\xec>\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00b\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22751 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22752 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xd6\\x03v\\x00\\x00\\x00\\x00\\x00\\u\\x0b\\x00\\x00\\x00\\x00\\xd1\\xac\\x81 \\x00\\x00\\x00\\x00\\xa0\\xfd\\x0b\\x15\\x00\\x00\\x00\\x00\\xf5\\x02\\x82)\\x00\\x00\\x00\\x00Uv\\x00\\x00\\xd8\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x04\\x00\\x00;*\\xfc\\xae\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22753 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22754 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22755 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22756 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22757 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22758 }, { "timestamp": "2026-05-28 22:02:32,475", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22759 }, { "timestamp": "2026-05-28 22:02:32,803", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22760 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00DR5\\xe1\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00i\\xd1\\xdf\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00i\\xd1\\xdf\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xe6l-m \\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x81\\x88@\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00V{\\xa1\\xe6\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22761 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22762 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22763 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22764 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22765 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22766 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22767 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22768 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22769 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22770 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x11\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xdbp\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd6p\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb9dZ\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00R8?\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00c\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22771 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 22772 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xd6\\x03v\\x00\\x00\\x00\\x00\\x00\\xec\\x85\\x0b\\x00\\x00\\x00\\x00\\xd1\\xac\\x81 \\x00\\x00\\x00\\x00;\\x90\\x12\\x15\\x00\\x00\\x00\\x00?\"\\x12*\\x00\\x00\\x00\\x00Uv\\x00\\x00\\xdb\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x04\\x00\\x00\\x1a\\xbc\\x92\\xaf\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22773 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22774 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22775 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22776 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22777 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22778 }, { "timestamp": "2026-05-28 22:02:33,459", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22779 }, { "timestamp": "2026-05-28 22:02:34,428", "thread_id": "1276", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22780 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xed\\x86\\xef\\xe4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00-\\\\xe9\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00-\\\\xe9\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x97r\\x91\\xf6 \\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00E\\x13J\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x0b\\xae[\\xea\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22781 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22782 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22783 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22784 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22785 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22786 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22787 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22788 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22789 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22790 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a84" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x1e\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00%q\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00 q\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00piZ\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd7\\xa7@\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00d\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22791 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22792 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xda\\x03v\\x00\\x00\\x00\\x00\\x00\\xf0\\xa5\\x0b\\x00\\x00\\x00\\x00\\x05\\xb5\\x81 \\x00\\x00\\x00\\x00l\\xbd\"\\x15\\x00\\x00\\x00\\x00\\x1b\\x9e\\x9a*\\x00\\x00\\x00\\x00Wv\\x00\\x00\\xdf\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x04\\x00\\x00\\x17\\x90+\\xb0\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22793 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22794 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22795 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22796 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22797 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22798 }, { "timestamp": "2026-05-28 22:02:34,459", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22799 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22800 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22801 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22802 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22803 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1276" } ], "repeated": 0, "id": 22804 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22805 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22806 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22807 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22808 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22809 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22810 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22811 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22812 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22813 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22814 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22815 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22816 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22817 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22818 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22819 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22820 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22821 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22822 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22823 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22824 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22825 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22826 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22827 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22828 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22829 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22830 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22831 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22832 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22833 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22834 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22835 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1276", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22836 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22837 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xd2\\xb8\\xdbg\\x00\\x00\\x00\\x00\\xc4\\xe2z\\x0b_\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22838 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22839 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xf6M!h\\x00\\x00\\x00\\x00\\xbe\\xac\\xc5\\x0b_\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22840 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22841 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xee\\xc4\\xaa\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00[\\xf0\\xf3\\xe5\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd5\\xf6\\xeb\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00.\\x18`\\xeb\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xdb\\xf6\\xeb\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22842 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xa8\\xe9\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x8a\\x85\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22843 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22844 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22845 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22846 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22847 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22848 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22849 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22850 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22851 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22852 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22853 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 22854 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22855 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22856 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22857 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22858 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22859 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22860 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22861 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22862 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22863 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22864 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22865 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "1004", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22866 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22867 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22868 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22869 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22870 }, { "timestamp": "2026-05-28 22:02:34,725", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22871 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22872 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22873 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22874 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22875 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22876 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22877 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22878 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22879 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22880 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22881 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22882 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22883 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22884 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22885 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22886 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22887 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22888 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22889 }, { "timestamp": "2026-05-28 22:02:34,740", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22890 }, { "timestamp": "2026-05-28 22:02:35,146", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22891 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\"\\x8cEh\\x00\\x00\\x00\\x00Vl\\x15\\xab_\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22892 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22893 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xe6\t\\x85h\\x00\\x00\\x00\\x00\\xc6\\x9bX\\xab_\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22894 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22895 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xee\\xc4\\xaa\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x05\\x89\\xa8\\xe8\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xe1\\xe3\\xf2\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x80\\xb0\\x14\\xee\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xe6\\xe3\\xf2\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22896 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xaa\\xe9\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x8c\\x95\r\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22897 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22898 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22899 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22900 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22901 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22902 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22903 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22904 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22905 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22906 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22907 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22908 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 22909 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 22910 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 22911 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 22912 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22913 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22914 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00)X\\xa7\\xe8\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd4\\xe0\\xf2\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xd4\\xe0\\xf2\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00!o\\x9d\\x7f!\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xec\\x97S\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xbd\\xf0\\x15\\xee\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22915 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22916 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22917 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22918 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22919 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22920 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22921 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22922 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22923 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a84" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 22924 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a84" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00&\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00+q\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00&q\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00BmZ\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00?\\xa9@\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00e\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22925 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a84" } ], "repeated": 0, "id": 22926 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xe0\\x03v\\x00\\x00\\x00\\x00\\x00\\x86\\xb7\\x0b\\x00\\x00\\x00\\x00y\\xc2\\x81 \\x00\\x00\\x00\\x00\\xd0\\xac+\\x15\\x00\\x00\\x00\\x00\\xb5\\x95)+\\x00\\x00\\x00\\x00Zv\\x00\\x00\\xe7\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x04\\x00\\x00\\x88\\x17\\xc4\\xb0\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22927 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 22928 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 22929 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 22930 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 22931 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 22932 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22933 }, { "timestamp": "2026-05-28 22:02:35,459", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292557c5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22934 }, { "timestamp": "2026-05-28 22:02:35,506", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22935 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22936 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0xcf94360000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06@\\xee_\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\\xee_\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\xee_\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf1\\xd9\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xf1\\xd9\\xf4}\\x00\\x00\\x00\\x00\\x05\\xdc\\xf5}\\x00\\x00(\\x02\\x06\\xdc\\xf5}\\x00\\x00P\\x06\\x07\\xdc\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xde\\xf1_\\x02\\x00\\x00" } ], "repeated": 0, "id": 22937 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x25fee4036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xbe\\x0b\\x00\\x00\\xbe\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00 G@\\xee_\\x02\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=@\\xee_\\x02\\x00\\x00^\\x04`\\x04\\x00\\x00\\x00\\x00\\xb2=@\\xee_\\x02\\x00\\x00\\xf0'@\\xee_\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x12B@\\xee_\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\x8cB@\\xee_\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xacB@\\xee_\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22938 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "BaseAddress", "value": "0x25fee403db2" }, { "name": "Size", "value": "0x0000045e" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00c\\x00h\\x00r\\x00o\\x00m\\x00e\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00U\\x00t\\x00i\\x00l\\x00W\\x00i\\x00n\\x00 \\x00-\\x00-\\x00l\\x00a\\x00n\\x00g\\x00=\\x00e\\x00n\\x00-\\x00" } ], "repeated": 0, "id": 22939 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22940 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "5484" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22941 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22942 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 22943 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xa3+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xa3+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xa4+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80!\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22944 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a9c" } ], "repeated": 0, "id": 22945 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22946 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\xec\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "1004" } ], "repeated": 0, "id": 22947 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22948 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22949 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22950 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22951 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22952 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22953 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22954 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22955 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22956 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22957 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 22958 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22959 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22960 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22961 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22962 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22963 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22964 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22965 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22966 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22967 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22968 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22969 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22970 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22971 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22972 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22973 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 22974 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 22975 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 22976 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 22977 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 22978 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "1004", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 22979 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 22980 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 22981 }, { "timestamp": "2026-05-28 22:02:35,725", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 22982 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "(\\x91\\xebh\\x00\\x00\\x00\\x00RW\\x99\\x89`\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22983 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 22984 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x8a\\xf1,i\\x00\\x00\\x00\\x00\\xcc\\xc8\\xdd\\x89`\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 22985 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 22986 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xee\\xc4\\xaa\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00)Vn\\xec\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00T\\x8c\\xfc\\x03\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd6}\\xda\\xf1\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00Z\\x8c\\xfc\\x03\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 22987 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b,\\xeb\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00N\\x06\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22988 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 22989 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22990 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22991 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 22992 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 22993 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xfa\\xacn\\xec\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x002\\x8d\\xfc\\x03S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x002\\x8d\\xfc\\x03)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00/D\\xe5\n\"\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00JD]\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x8e\\xd3\\xda\\xf1\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22994 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22995 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 22996 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 22997 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 22998 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 22999 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 23000 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23001 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 23002 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23003 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00,\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x002q\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00-q\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x16\\xe2Z\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x86\\xab@\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00f\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23004 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab0" } ], "repeated": 0, "id": 23005 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00b\\x05v\\x00\\x00\\x00\\x00\\x00H(\\x0c\\x00\\x00\\x00\\x00o3\\x89 \\x00\\x00\\x00\\x00Bfk\\x15\\x00\\x00\\x00\\x007A\\x8e+\\x00\\x00\\x00\\x00av\\x00\\x00\\xf3\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xd3\\x04\\x00\\x00\\x15\\x8a^\\xb1\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23006 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23007 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 23008 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 23009 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 23010 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 23011 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 23012 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 23013 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23014 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23015 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23016 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23017 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23018 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23019 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23020 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23021 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23022 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23023 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 23024 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23025 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23026 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23027 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23028 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23029 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23030 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23031 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23032 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23033 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23034 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23035 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23036 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23037 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23038 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23039 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23040 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23041 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23042 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23043 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23044 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 23045 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 23046 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 23047 }, { "timestamp": "2026-05-28 22:02:36,475", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 23048 }, { "timestamp": "2026-05-28 22:02:36,490", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 23049 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "6\\xd6Ki\\x00\\x00\\x00\\x00`\\xbf\\xd2ea\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 23050 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 23051 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "N\\xbd\\x87i\\x00\\x00\\x00\\x00h\\x99\\x11fa\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 23052 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 23053 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xee\\xc4\\xaa\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00T\\x13*\\xf0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x05\\x1b\\x06\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00F\\xf0T\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x96:\\x96\\xf5\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\n\\x1b\\x06\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 23054 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b|\\xf0\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00v\t\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23055 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "36" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 23056 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23057 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23058 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23059 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23060 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdaj*\\xf0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xe5\\x1b\\x06\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xe5\\x1b\\x06\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xb4\\xe7\\x81\\x94\"\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xfd\\xd2f\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00t\\x91\\x96\\xf5\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23061 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 23062 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 23063 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 23064 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 23065 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23066 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23067 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23068 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23069 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23070 }, { "timestamp": "2026-05-28 22:02:37,475", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000aa0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x009\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x82\\x0cj\\x00\\x00\\x00\\x00\\xb4\\xc7A\\x1dc\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 23194 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00,1\\x9c\\xf7\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xae*\\x19\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xae*\\x19\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x97\\xc2\\xe8\\xa6#\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xc5\\xe1y\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00&A\t\\xfd\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23195 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 23196 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 23197 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 23198 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 23199 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23200 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23201 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23202 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23203 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23204 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00Y\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00Xq\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00Sq\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00*\\xf7Z\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc0\\xbc@\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00i\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23205 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23206 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00h\\x10v\\x00\\x00\\x00\\x00\\x00x,\\x0c\\x00\\x00\\x00\\x00\\xfd\\x07\\x8b \\x00\\x00\\x00\\x00i\tv\\x15\\x00\\x00\\x00\\x00`\\x9fJ-\\x00\\x00\\x00\\x00{v\\x00\\x00\n\\x11\\x00\\x00\\x01\\x00\\x00\\x00\\xdc\\x04\\x00\\x00\\xbbw(\\xb3\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23207 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23208 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 23209 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 23210 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 23211 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 23212 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xf2\\x98gj\\x00\\x00\\x00\\x00h\\xeb\\xa6\\x1dc\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 23213 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 23214 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xee\\xc4\\xaa\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe5\\x02\\x9e\\xf7\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00V/\\x19\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00T\\x17\\\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x0f*\n\\xfd\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00[/\\x19\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 23215 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b2\\xf6\\xa0\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00~\\x0b\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23216 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 23217 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 23218 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 23219 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23220 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23221 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23222 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23223 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 23224 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23225 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23226 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23227 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23228 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23229 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23230 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23231 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23232 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23233 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23234 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 23235 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23236 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23237 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23238 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23239 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23240 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23241 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23242 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23243 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23244 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23245 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 23246 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 23247 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 23248 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 23249 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 23250 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 23251 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 23252 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 23253 }, { "timestamp": "2026-05-28 22:02:39,475", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 23254 }, { "timestamp": "2026-05-28 22:02:39,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 23255 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23256 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296ba63", "parentcaller": "0x7ff6c296e5f8", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x292549cc8d0", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.*" }, { "name": "FirstCreateTimeLow", "value": "0xaff228df" }, { "name": "FirstCreateTimeHigh", "value": "0x01dceeb6" } ], "repeated": 0, "id": 23257 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296b9d4", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23258 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296b9f3", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23259 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296ba63", "parentcaller": "0x7ff6c296e5f8", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x29254737570", "arguments": [ { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*.*" }, { "name": "FirstCreateTimeLow", "value": "0xc867053b" }, { "name": "FirstCreateTimeHigh", "value": "0x01d5acde" } ], "repeated": 0, "id": 23260 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296bd3f", "parentcaller": "0x7ff6c296e5f8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23261 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296c455", "parentcaller": "0x7ff6c296e63c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x00000ab8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 23262 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296c0df", "parentcaller": "0x7ff6c296c48a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "2" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 23263 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "SecurityHealth" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth" } ], "repeated": 0, "id": 23264 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "SecurityHealth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth" } ], "repeated": 0, "id": 23265 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "SecurityHealth" }, { "name": "Data", "value": "%windir%\\system32\\SecurityHealthSystray.exe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth" } ], "repeated": 0, "id": 23266 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a4" }, { "name": "ValueName", "value": "SecurityHealth" }, { "name": "Data", "value": "\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\SecurityHealth" } ], "repeated": 0, "id": 23267 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23268 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 23269 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23270 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23271 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23272 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 23273 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23274 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 23275 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 23276 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23277 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23278 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23279 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 23280 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23281 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 23282 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 23283 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 1, "id": 23284 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23285 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23286 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23287 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 23288 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23289 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 23290 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 23291 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23292 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23293 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23294 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en" } ], "repeated": 0, "id": 23295 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23296 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 23297 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00019000" } ], "repeated": 0, "id": 23298 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\SecurityHealthSystray.exe" } ], "repeated": 0, "id": 23299 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent" } ], "repeated": 0, "id": 23300 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent" } ], "repeated": 0, "id": 23301 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "Data", "value": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe\" \"C:\\agent.py\"" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent" } ], "repeated": 0, "id": 23302 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a4" }, { "name": "ValueName", "value": "CAPEAgent" }, { "name": "Data", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\CAPEAgent" } ], "repeated": 0, "id": 23303 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 0, "id": 23304 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23305 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000279", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23306 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 23307 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ab4" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000aa0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 23308 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23309 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 23310 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23311 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23312 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23313 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\xean:\\xdd\\xac\\xd5\\x01\\x97\\xf5\\xb7\\xc2\\xea\\xee\\xdc\\x01\\x9d\\xa9\\xd1\\xc9\\xb8\\xee\\xdc\\x01\\x9d\\xa9\\xd1\\xc9\\xb8\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xee\\x05\\x00\\x00\\x00\\x00\\x01\\x00U\\x00s\\x00e\\x00r\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23314 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23315 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23316 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23317 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "HandleName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23318 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4a\\xd0\\x9c\\xb6\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x9a\\x01\\x00\\x00\\x00\\x04\\x00a\\x00d\\x00m\\x00i\\x00n\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23319 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23320 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23321 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23322 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "HandleName", "value": "C:\\Users\\admin" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23323 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R \\xd6\\x9c\\xb6\\xee\\xdc\\x01\\x97\\xf5\\xb7\\xc2\\xea\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\xa5\\x01\\x00\\x00\\x00\\x03\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23324 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23325 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23326 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23327 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01\\xe8\\x93\\x17\\xc5\\xea\\xee\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\xa6\\x01\\x00\\x00\\x00\\x02\\x00L\\x00o\\x00c\\x00a\\x00l\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23328 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23329 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23330 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23331 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01E\\xc5\\xeb\\xc5\\xea\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00M\\x00I\\x00C\\x00R\\x00O\\x00S\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\xa6\\x01\\x00\\x00\\x00\\x02\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23332 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23333 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23334 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23335 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01{\\x7f\\x9e$\\xeb\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00W\\x00I\\x00N\\x00D\\x00O\\x00W\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\xa6\\x01\\x00\\x00\\x00\\x02\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00A\\x00p\\x00p\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23336 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23337 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23338 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23339 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23340 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000aa0" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9fI\\xbe\\xb1\\xb6\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x04\\x00\\x00\\x14\\x00\\x00\\x00\\x1b\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa9\\x01\\x00\\x00\\x00\\x03\\x00p\\x00y\\x00t\\x00h\\x00o\\x00n\\x00.\\x00e\\x00x\\x00e\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23341 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23342 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23343 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 1, "id": 23344 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23345 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000279", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23346 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000aa0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 23347 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aa0" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000ab4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 23348 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aa0" } ], "repeated": 0, "id": 23349 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 23350 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23351 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23352 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23353 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\xean:\\xdd\\xac\\xd5\\x01\\x97\\xf5\\xb7\\xc2\\xea\\xee\\xdc\\x01\\x9d\\xa9\\xd1\\xc9\\xb8\\xee\\xdc\\x01\\x9d\\xa9\\xd1\\xc9\\xb8\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xee\\x05\\x00\\x00\\x00\\x00\\x01\\x00U\\x00s\\x00e\\x00r\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23354 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23355 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23356 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23357 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Users" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23358 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf4a\\xd0\\x9c\\xb6\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x13\\x00\\xa9p\\xeb\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x9a\\x01\\x00\\x00\\x00\\x04\\x00a\\x00d\\x00m\\x00i\\x00n\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23359 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23360 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23361 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23362 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Users\\admin" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23363 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R \\xd6\\x9c\\xb6\\xee\\xdc\\x01\\x97\\xf5\\xb7\\xc2\\xea\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01n\\xbc\\xe2\\x9c\\xb6\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\xa5\\x01\\x00\\x00\\x00\\x03\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23364 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23365 }, { "timestamp": "2026-05-28 22:02:40,178", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23366 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23367 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01\\xe8\\x93\\x17\\xc5\\xea\\xee\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\xde\\x8d\\x85=\\x02\\xef\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\xa6\\x01\\x00\\x00\\x00\\x02\\x00L\\x00o\\x00c\\x00a\\x00l\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23368 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23369 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23370 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23371 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01E\\xc5\\xeb\\xc5\\xea\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x8d\\xff[\\xc0\\xb8\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00M\\x00I\\x00C\\x00R\\x00O\\x00S\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\xa6\\x01\\x00\\x00\\x00\\x02\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23372 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23373 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23374 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23375 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\xbd\\xd6\\x9c\\xb6\\xee\\xdc\\x01{\\x7f\\x9e$\\xeb\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01)S:q\\xb7\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00W\\x00I\\x00N\\x00D\\x00O\\x00W\\x00~\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\xa6\\x01\\x00\\x00\\x00\\x02\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00A\\x00p\\x00p\\x00s\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23376 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23377 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23378 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23379 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23380 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9fI\\xbe\\xb1\\xb6\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x19\\x048q\\xb7\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x04\\x00\\x00\\x14\\x00\\x00\\x00\\x1b\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\xa9\\x01\\x00\\x00\\x00\\x03\\x00p\\x00y\\x00t\\x00h\\x00o\\x00n\\x00.\\x00e\\x00x\\x00e\\x00" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23381 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23382 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23383 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe" } ], "repeated": 0, "id": 23384 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" } ], "repeated": 0, "id": 23385 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23386 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 23387 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23388 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x0001a000" } ], "repeated": 0, "id": 23389 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe" } ], "repeated": 0, "id": 23390 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23391 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23392 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23393 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23394 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23395 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23396 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23397 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23398 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23399 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23400 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23401 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28f7900", "parentcaller": "0x7ff6c296c4b1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23402 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296c455", "parentcaller": "0x7ff6c296e63c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x00000ac0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 23403 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296c0df", "parentcaller": "0x7ff6c296c48a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac0" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "3" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 23404 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "Index", "value": "0" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive" } ], "repeated": 0, "id": 23405 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive" } ], "repeated": 0, "id": 23406 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "Data", "value": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive" } ], "repeated": 0, "id": 23407 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057c" }, { "name": "ValueName", "value": "OneDrive" }, { "name": "Data", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\OneDrive" } ], "repeated": 0, "id": 23408 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 23409 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23410 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 23411 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23412 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 23413 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 1, "id": 23414 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23415 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 23416 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23417 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00243000" } ], "repeated": 0, "id": 23418 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" } ], "repeated": 0, "id": 23419 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "Index", "value": "1" }, { "name": "ValueName", "value": "Discord" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" } ], "repeated": 0, "id": 23420 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "Discord" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" } ], "repeated": 0, "id": 23421 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "Discord" }, { "name": "Data", "value": "\"C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" } ], "repeated": 0, "id": 23422 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057c" }, { "name": "ValueName", "value": "Discord" }, { "name": "Data", "value": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Discord" } ], "repeated": 0, "id": 23423 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" } ], "repeated": 0, "id": 23424 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23425 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 23426 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23427 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 23428 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" } ], "repeated": 1, "id": 23429 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23430 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 23431 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23432 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 23433 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe" } ], "repeated": 0, "id": 23434 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 23435 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23436 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23437 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23438 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23439 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 23440 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 23441 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23442 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23443 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23444 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 23445 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "SectionOffset", "value": "0xf09dffd9d0" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23446 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23447 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 23448 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23449 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 23450 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23451 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23452 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23453 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 23454 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "SectionOffset", "value": "0xf09dffd9c0" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23455 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23456 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 23457 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23458 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 23459 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 23460 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23461 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23462 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23463 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23464 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23465 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23466 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23467 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23468 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23469 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23470 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23471 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 23472 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23473 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23474 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23475 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23476 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 23477 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 23478 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23479 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23480 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23481 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 23482 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "SectionOffset", "value": "0xf09dffd9d0" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23483 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23484 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 23485 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23486 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 23487 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\reg.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23488 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 23489 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23490 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\reg.exe.mui" } ], "repeated": 0, "id": 23491 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ab4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "SectionOffset", "value": "0xf09dffd9c0" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23492 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23493 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 23494 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23495 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00057000" } ], "repeated": 0, "id": 23496 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\reg.exe" } ], "repeated": 0, "id": 23497 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23498 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23499 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23500 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23501 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23502 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23503 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23504 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23505 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23506 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23507 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23508 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 23509 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23510 }, { "timestamp": "2026-05-28 22:02:40,193", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23511 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23512 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23513 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 23514 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23515 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23516 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23517 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23518 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 23519 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23520 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23521 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23522 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23523 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 23524 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23525 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23526 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23527 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23528 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 23529 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23530 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23531 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23532 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23533 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 23534 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23535 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23536 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23537 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23538 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 23539 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23540 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23541 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23542 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23543 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 1, "id": 23544 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23545 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23546 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29257f80002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23547 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29257f80000" }, { "name": "RegionSize", "value": "0x0be3b000" } ], "repeated": 0, "id": 23548 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe" } ], "repeated": 0, "id": 23549 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23550 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 23551 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 23552 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23553 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23554 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23555 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23556 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23557 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23558 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23559 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23560 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23561 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23562 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23563 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23564 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 23565 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 23566 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23567 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23568 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23569 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23570 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23571 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23572 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23573 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23574 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23575 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23576 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23577 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23578 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 23579 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 23580 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23581 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23582 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23583 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23584 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23585 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23586 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23587 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23588 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23589 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23590 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23591 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "\\\\?\\C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23592 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x000de000" } ], "repeated": 0, "id": 23593 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe" } ], "repeated": 0, "id": 23594 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23595 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23596 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23597 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23598 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23599 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23600 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23601 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23602 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23603 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23604 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23605 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c290d36c", "parentcaller": "0x7ff6c296c16e", "category": "registry", "api": "RegEnumValueW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "Index", "value": "2" }, { "name": "ValueName", "value": "Steam" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "DataLength", "value": "0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam" } ], "repeated": 0, "id": 23606 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c290d20b", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "Steam" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam" } ], "repeated": 0, "id": 23607 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c290d2e0", "parentcaller": "0x7ff6c296c1bd", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "Steam" }, { "name": "Data", "value": "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam" } ], "repeated": 0, "id": 23608 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296abc5", "parentcaller": "0x7ff6c296e244", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057c" }, { "name": "ValueName", "value": "Steam" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Steam" } ], "repeated": 0, "id": 23609 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296cf53", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 23610 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23611 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 23612 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23613 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 23614 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296d3aa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 1, "id": 23615 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23616 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 23617 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23618 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00708000" } ], "repeated": 0, "id": 23619 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steam.exe" } ], "repeated": 0, "id": 23620 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": ".\\bin\\vulkandriverquery64.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23621 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\vulkandriverquery64.exe" } ], "repeated": 0, "id": 23622 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23623 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23624 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23625 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23626 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23627 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23628 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23629 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23630 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23631 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23632 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23633 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 23634 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23635 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23636 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23637 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23638 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23639 }, { "timestamp": "2026-05-28 22:02:40,209", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23640 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23641 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23642 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23643 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23644 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23645 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23646 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23647 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23648 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23649 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23650 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23651 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23652 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23653 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23654 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23655 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23656 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23657 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23658 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23659 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23660 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23661 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23662 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23663 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23664 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23665 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23666 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23667 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23668 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23669 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23670 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23671 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23672 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23673 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 1, "id": 23674 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23675 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23676 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29255930002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23677 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9b37", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255930000" }, { "name": "RegionSize", "value": "0x008f9000" } ], "repeated": 0, "id": 23678 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe" } ], "repeated": 0, "id": 23679 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": ".\\bin\\vulkandriverquery.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23680 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\vulkandriverquery.exe" } ], "repeated": 0, "id": 23681 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23682 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23683 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23684 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23685 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23686 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23687 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23688 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23689 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23690 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23691 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23692 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": ".\\bin\\gldriverquery64.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23693 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\gldriverquery64.exe" } ], "repeated": 0, "id": 23694 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": ".\\bin\\gldriverquery.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23695 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\bin\\gldriverquery.exe" } ], "repeated": 0, "id": 23696 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c290bbeb", "parentcaller": "0x7ff6c296c7b4", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" } ], "repeated": 0, "id": 23697 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514f0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23698 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514f0000" }, { "name": "RegionSize", "value": "0x00149000" } ], "repeated": 0, "id": 23699 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000ac4" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 23700 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ac4" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000ac8" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 23701 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23702 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 23703 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23704 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23705 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23706 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbeAb\\xc8\\xde\\xac\\xd5\\x01\\x9e\\x9a\\x01\\xc8\\xea\\xee\\xdc\\x01\\xb2\\x020C\\x00\\xef\\xdc\\x01\\xb2\\x020C\\x00\\xef\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00&\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00P\\x00R\\x00O\\x00G\\x00R\\x00A\\x00~\\x002\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc9\\x04\\x00\\x00\\x00\\x00\\x01\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00" }, { "name": "FileName", "value": "C:\\Program Files (x86)" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23707 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23708 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23709 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23710 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Program Files (x86)" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23711 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb2\\x020C\\x00\\xef\\xdc\\x01t \\x17\\xa2\\xed\\xee\\xdc\\x01%\r\\xe5\\xa0\\xed\\xee\\xdc\\x01%\r\\xe5\\xa0\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\xf7\\x01\\x00\\x00\\x00\\x02\\x00S\\x00t\\x00e\\x00a\\x00m\\x00" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23712 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23713 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23714 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23715 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Steam" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 23716 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe1T\\xbaK\\x00\\xef\\xdc\\x01&\\xe9\\x1c&\\xeb\\xee\\xdc\\x01\\x00ro\\x15(\\xee\\xdc\\x01\\x06K,d\\x00\\xef\\xdc\\x01\\x98\\xfe\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00S\\x00T\\x00E\\x00A\\x00M\\x00S\\x00~\\x001\\x00.\\x00E\\x00X\\x00E\\x00\\x00\\x00-)\\x02\\x00\\x00\\x00\\x01\\x00s\\x00t\\x00e\\x00a\\x00m\\x00s\\x00y\\x00s\\x00i\\x00n\\x00f\\x00o\\x00.\\x00e\\x00x\\x00e\\x00" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 23717 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c291c5c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23718 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe" } ], "repeated": 0, "id": 23719 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "\\??\\C:\\Windows\\system32\\conhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23720 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23721 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\r\\x00\\x00\\x00\\x00\\x00\\x00<\r\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23722 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23723 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "MZ" }, { "name": "Length", "value": "2" } ], "repeated": 0, "id": 23724 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "<\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23725 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "\\xf0\\x00\\x00\\x00" }, { "name": "Length", "value": "4" } ], "repeated": 0, "id": 23726 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "FileInformationClass", "value": "14", "pretty_value": "FilePositionInformation" }, { "name": "FileInformation", "value": "\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23727 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "HandleName", "value": "C:\\Windows\\System32\\conhost.exe" }, { "name": "Buffer", "value": "PE\\x00\\x00d\\x86\\x07\\x00\\xdc6\\xe4/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\"\\x00\\x0b\\x02\\x0e\\x14\\x00\\xa2\t\\x00\\x00\\xcc\\x03\\x00\\x00\\x00\\x00\\x00P\\xf7\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00@\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 23728 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28c9af9", "parentcaller": "0x7ff6c296d4e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23729 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296e129", "parentcaller": "0x7ff6c296c7fa", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\conhost.exe" } ], "repeated": 0, "id": 23730 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28f7900", "parentcaller": "0x7ff6c296c4b1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23731 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296c455", "parentcaller": "0x7ff6c296e63c", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" }, { "name": "Handle", "value": "0x00000ac0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" } ], "repeated": 0, "id": 23732 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c296c0df", "parentcaller": "0x7ff6c296c48a", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac0" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 23733 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c28f7900", "parentcaller": "0x7ff6c296c4b1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23734 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Internal.StartupTaskInternal" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal" } ], "repeated": 0, "id": 23735 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac0" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00j\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00r\\x00t\\x00u\\x00p\\x00T\\x00a\\x00s\\x00k\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00y\\xffec\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xffa8\\xffe2\\xff9eT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffed\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff80B\\xffa0T\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe2\\xff9eT\\xff92\\x02\\x00\\x00\\xff80B\\xffa0T\\xff92\\x02\\x00\\x00`\\xffdc\\x1eT\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10\\x1c\\xff9aT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff`\\xffdc\\x1eT\\xff92\\x02\\x00\\x00p\\xff98\\xffe4T\\xff92\\x02\\x00\\x00p\\xff98\\xffe4T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80B\\xffa0T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00p\\xffcd\\xffd2T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xffee\\xffff\\xff9d\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xffee\\xffff\\xff9d\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 23736 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivationType" } ], "repeated": 0, "id": 23737 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Server" } ], "repeated": 0, "id": 23738 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\DllPath" } ], "repeated": 0, "id": 23739 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Threading" } ], "repeated": 0, "id": 23740 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\TrustLevel" } ], "repeated": 0, "id": 23741 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ac0" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\CustomAttributes" } ], "repeated": 0, "id": 23742 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\RemoteServer" } ], "repeated": 0, "id": 23743 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateAsUser" } ], "repeated": 0, "id": 23744 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInSharedBroker" } ], "repeated": 0, "id": 23745 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 23746 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Permissions" } ], "repeated": 0, "id": 23747 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac0" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateOnHostFlags" } ], "repeated": 0, "id": 23748 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969c51", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23749 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000a" }, { "name": "TokenHandle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23750 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23751 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" } ], "repeated": 0, "id": 23752 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xf2\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00 \\x02\\x00\\x00\\xcc\\xabE\\x83K\\x87\\x085\\xde\\x03\\x85\\x97Bd\\x958\\x98\\x1cd{b\\xa4\\xe7M\\xfeUia\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 23753 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23754 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23755 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000a" }, { "name": "TokenHandle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23756 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23757 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" } ], "repeated": 0, "id": 23758 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf2\\xff\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00 \\x02\\x00\\x00\\xcc\\xabE\\x83K\\x87\\x085\\xde\\x03\\x85\\x97Bd\\x958\\x98\\x1cd{b\\xa4\\xe7M\\xfeUia\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 23759 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23760 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23761 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "612", "caller": "0x7ff6c2969cb5", "parentcaller": "0x7ff6c296bdac", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "612" } ], "repeated": 0, "id": 23762 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 23763 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.ApplicationExtension" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension" } ], "repeated": 0, "id": 23764 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ab8" }, { "name": "KeyInformation", "value": "y\\x1f\\x10\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00j\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00E\\x00x\\x00t\\x00e\\x00n\\x00s\\x00i\\x00o\\x00n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00I\\xffe8\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00h\\xffe0\\xff9eT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\x006\\xffa0T\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xffe0\\xff9eT\\xff92\\x02\\x00\\x00\\x006\\xffa0T\\xff92\\x02\\x00\\x00\\xffe0\\xffda\\x1eT\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff90\\x08\\xff9aT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffe0\\xffda\\x1eT\\xff92\\x02\\x00\\x00\\xffb0\\xff96\\xffe4T\\xff92\\x02\\x00\\x00\\xffb0\\xff96\\xffe4T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\xffa0T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00P\\xffd4\\xffd2T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 23765 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivationType" } ], "repeated": 0, "id": 23766 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Server" } ], "repeated": 0, "id": 23767 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\DllPath" } ], "repeated": 0, "id": 23768 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Threading" } ], "repeated": 0, "id": 23769 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\TrustLevel" } ], "repeated": 0, "id": 23770 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ab8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\CustomAttributes" } ], "repeated": 0, "id": 23771 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\RemoteServer" } ], "repeated": 0, "id": 23772 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateAsUser" } ], "repeated": 0, "id": 23773 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInSharedBroker" } ], "repeated": 0, "id": 23774 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 23775 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Permissions" } ], "repeated": 0, "id": 23776 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateOnHostFlags" } ], "repeated": 0, "id": 23777 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000006d8" }, { "name": "ObjectAttributesName", "value": "StateRepository" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository" } ], "repeated": 0, "id": 23778 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac4" }, { "name": "KeyInformation", "value": "\\xffcek|\\xffd3\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\xffb8\\xffffw\\xfffc\\x7f\\x00\\x00\\x02\\x00\\x1c\\x00\\x02\\x00\\x00\\x00\\xffb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xff91\\xff8eT\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\xffe0\\x13\\x03N\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\xffc0\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0C\\xffe7w\\xfffc\\x7f\\x00\\x00\\xffa8\\xffe2\\xff9eT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xffe5\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\xffd5\\xffd2T\\xff92\\x02\\x00\\x00\\xff90\\x1c\\xff9aT\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe2\\xff9eT\\xff92\\x02\\x00\\x00\\xff90\\xffd5\\xffd2T\\xff92\\x02\\x00\\x00 \\xffce\\x1eT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\x1c\\xff9aT\\xff92\\x02\\x00\\x00kj\\xffbbw\\xfffc\\x7f\\x00\\x00`\\xffd4\\x1eT\\xff92\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xff86\\xffe4T\\xff92\\x02\\x00\\x00 \\xffce\\x1eT\\xff92\\x02\\x00\\x00\\x10\\xff86\\xffe4T\\xff92\\x02\\x00\\x00\\x10\\xff86\\xffe4T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffd5\\xffd2T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xff86\\xffe4T\\xff92\\x02\\x00\\x00\\xffe3r\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff80\\xffe2\\xff9eT\\xff92\\x02\\x00\\x00\\xffb8\\xffe6\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xff86\\xffe4T\\xff92\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\xffae\\xffc3w\\xfffc\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 23779 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "ExePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath" } ], "repeated": 0, "id": 23780 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "CommandLine" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine" } ], "repeated": 0, "id": 23781 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "IdentityType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType" } ], "repeated": 0, "id": 23782 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Type", "value": "0x7ffc00000003" }, { "name": "DataLength", "value": "184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 23783 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Data", "value": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 23784 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c49d80", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "ActivatableClasses" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses" } ], "repeated": 0, "id": 23785 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "ServerType" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType" } ], "repeated": 0, "id": 23786 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "AppId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId" } ], "repeated": 0, "id": 23787 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "Identity" }, { "name": "Data", "value": "nt authority\\system" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity" } ], "repeated": 0, "id": 23788 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "ServiceName" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName" } ], "repeated": 0, "id": 23789 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac4" }, { "name": "ValueName", "value": "ExplicitPsmActivationType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType" } ], "repeated": 0, "id": 23790 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ac4" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes" } ], "repeated": 0, "id": 23791 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 23792 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23793 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 23794 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x00000aca" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 23795 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 23796 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 23797 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xca\n\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xe0\\xc1\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 23798 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 23799 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 23800 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000aca" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 23801 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 23802 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000aca" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 23803 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aca" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 23804 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aca" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 23805 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000aca" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000ab6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 23806 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ab6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 23807 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 23808 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 23809 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 23810 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab6" } ], "repeated": 0, "id": 23811 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 23812 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 23813 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xbf\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xca\n\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 23814 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 23815 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 23816 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000aca" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 23817 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 23818 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 23819 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xbf\\x1f\\x9e\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xca\n\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00p\\xc0\\x1f\\x9e\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 23820 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 23821 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000aca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 23822 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000aca" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 23823 }, { "timestamp": "2026-05-28 22:02:40,225", "thread_id": "3700", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aca" } ], "repeated": 0, "id": 23824 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000003d8" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.Package" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package" } ], "repeated": 0, "id": 23825 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac8" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00P\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00P\\x00a\\x00c\\x00k\\x00a\\x00g\\x00e\\x00\\x03\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xff91\\xff8eT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00I\\xffe8\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0\\x14\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xffc4\\x02\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x0c\\x03N\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xffa8\\xffe2\\xff9eT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffe9\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x00\\xff90\\x1a\\xff9aT\\xff92\\x02\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffe2\\xff9eT\\xff92\\x02\\x00\\x00\\xff90\\x1a\\xff9aT\\xff92\\x02\\x00\\x00 \\xffd9\\x1eT\\xff92\\x02\\x00\\x00\\xffc7\\xffb3\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x03N\\xff92\\x02\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff90\\x1c\\xff9aT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff \\xffd9\\x1eT\\xff92\\x02\\x00\\x00p\\xff8a\\xffe4T\\xff92\\x02\\x00\\x00p\\xff8a\\xffe4T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\x1a\\xff9aT\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff92\\x02\\x00\\x006\\xff8c\\xffc6w\\xfffc\\x7f\\x00\\x00p\\xffcd\\xffd2T\\xff92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffea\\x1f\\xff9e\\xfff0\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 23826 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType" } ], "repeated": 0, "id": 23827 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server" } ], "repeated": 0, "id": 23828 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath" } ], "repeated": 0, "id": 23829 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading" } ], "repeated": 0, "id": 23830 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel" } ], "repeated": 0, "id": 23831 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ac8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\CustomAttributes" } ], "repeated": 0, "id": 23832 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer" } ], "repeated": 0, "id": 23833 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser" } ], "repeated": 0, "id": 23834 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker" } ], "repeated": 0, "id": 23835 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 23836 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions" } ], "repeated": 0, "id": 23837 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags" } ], "repeated": 0, "id": 23838 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23839 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 23840 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "3700", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x87\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00t\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3700" } ], "repeated": 0, "id": 23841 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "612", "caller": "0x7ff6c29692cf", "parentcaller": "0x7ff6c296ccf0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23842 }, { "timestamp": "2026-05-28 22:02:40,240", "thread_id": "612", "caller": "0x7ff6c28fed47", "parentcaller": "0x7ff6c28de10c", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\" }, { "name": "NotifyFilter", "value": "0x00000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 23843 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 23844 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 23845 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xc2\\xc0\\x91j\\x00\\x00\\x00\\x00\\xfaq\\xa7\\xfec\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 23846 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd5\\x83n\\xfb\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00/\\xf3\"\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00/\\xf3\"\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xe3\\xbd\\xc53$\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00G\\xaa\\x83\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xae\\xac\\xda\\x00\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 23847 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 23848 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 23849 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 23850 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 23851 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23852 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23853 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23854 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23855 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 23856 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xa3\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xaeq\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa9q\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf9:[\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00RJA\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00j\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23857 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23858 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x1a\\xe3w\\x00\\x00\\x00\\x00\\x00\\xa6^\\x0c\\x00\\x00\\x00\\x00;a\\xb8 \\x00\\x00\\x00\\x00u\\xaa\\xd6\\x15\\x00\\x00\\x00\\x00.%\\xab-\\x00\\x00\\x00\\x00\\xdfv\\x00\\x00\\x84\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x004\\xde\\xc4\\xb3\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23859 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 23860 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 23861 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 23862 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 23863 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 23864 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 23865 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 23866 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xd8\\x90\\xd4j\\x00\\x00\\x00\\x000\\x0b\\xee\\xfec\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 23867 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 23868 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00H'\\xad\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x1f\\xc6o\\xfb\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00i\\xf6\"\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00T\\x17\\\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd8\\xed\\xdb\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00o\\xf6\"\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 23869 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xe4\\xc8\\xa2\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xac<\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23870 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 23871 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23872 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23873 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23874 }, { "timestamp": "2026-05-28 22:02:40,490", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23875 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3656" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23876 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23877 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3656" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23878 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23879 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3656" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23880 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23881 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23882 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23883 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23884 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23885 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3656" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23886 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23887 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3656" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23888 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x48cfe46000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06\\xe0\\x00\\xbf\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd5\\x00\\xbf\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x00\\xbf\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x1f\\x00\\x00\n\\x8f\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\n\\x8f\\xf4}\\x00\\x00\\x00\\x00\\x1e\\x91\\xf5}\\x00\\x00(\\x02\\x1f\\x91\\xf5}\\x00\\x00P\\x06 \\x91\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00 \\x02\\xbf\\x01\\x00\\x00" } ], "repeated": 0, "id": 23889 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x1bf00e036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x04\\x08\\x00\\x00\\x04\\x08\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x0007\\xda\\x03\\xbf\\x01\\x00\\x00<\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=\\xe0\\x00\\xbf\\x01\\x00\\x00\\xa4\\x00\\xa6\\x00\\x00\\x00\\x00\\x00\\xb2=\\xe0\\x00\\xbf\\x01\\x00\\x00\\xf0'\\xe0\\x00\\xbf\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00X>\\xe0\\x00\\xbf\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xd2>\\xe0\\x00\\xbf\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xf2>\\xe0\\x00\\xbf\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23890 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x1bf00e03db2" }, { "name": "Size", "value": "0x000000a4" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00n\\x00o\\x00-\\x00s\\x00t\\x00a\\x00r\\x00t\\x00u\\x00p\\x00-\\x00w\\x00i\\x00n\\x00d\\x00o\\x00w\\x00" } ], "repeated": 0, "id": 23891 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23892 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3656" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23893 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23894 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 23895 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00`|+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x88|+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8|+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xa5\\x00\\x00\\x00\\x00\\x00\\x00\\x00p5\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23896 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23897 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23898 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2196" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23899 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23900 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2196" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23901 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23902 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2196" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23903 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23904 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23905 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23906 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23907 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23908 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2196" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23909 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23910 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2196" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23911 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x3d278dd000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06\\xc0\\xad\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb7\\xad\\x88\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb2\\xad\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x07\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0g\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xc0g\\xf4}\\x00\\x00\\x00\\x00\\xd4i\\xf5}\\x00\\x00(\\x02\\xd5i\\xf5}\\x00\\x00P\\x06\\xd6i\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00A\\xae\\x88\\x01\\x00\\x00" } ], "repeated": 0, "id": 23912 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x188adc036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "p\\x0c\\x00\\x00p\\x0c\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xd0G\\xc0\\xad\\x88\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=\\xc0\\xad\\x88\\x01\\x00\\x00\\x10\\x05\\x12\\x05\\x00\\x00\\x00\\x00\\xb2=\\xc0\\xad\\x88\\x01\\x00\\x00\\xf0'\\xc0\\xad\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xc4B\\xc0\\xad\\x88\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00>C\\xc0\\xad\\x88\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00^C\\xc0\\xad\\x88\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23913 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x188adc03db2" }, { "name": "Size", "value": "0x00000510" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00c\\x00r\\x00a\\x00s\\x00h\\x00p\\x00a\\x00d\\x00-\\x00h\\x00a\\x00n\\x00d\\x00l\\x00e\\x00r\\x00 \\x00\"\\x00-\\x00-\\x00u\\x00s\\x00e\\x00r\\x00-\\x00d\\x00a\\x00t\\x00a\\x00-\\x00d\\x00i\\x00r\\x00=\\x00C\\x00:\\x00\\\\x00U\\x00s\\x00e\\x00r\\x00s\\x00\\\\x00a\\x00d\\x00m\\x00i\\x00n\\x00\\\\x00A\\x00p\\x00p\\x00D\\x00a\\x00t\\x00a\\x00\\\\x00L\\x00" } ], "repeated": 0, "id": 23914 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23915 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2196" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23916 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23917 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 23918 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90[+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8[+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8[+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xa6\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa17\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23919 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23920 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23921 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "764" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23922 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23923 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "764" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23924 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23925 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "764" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23926 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23927 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23928 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23929 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23930 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23931 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "764" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23932 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23933 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "764" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23934 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x40baed4000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06@\\xa4\\x86\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\xa4\\x86\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\xa4\\x86\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00 \\xe6\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07 \\xe6\\xf4}\\x00\\x00\\x00\\x004\\xe8\\xf5}\\x00\\x00(\\x025\\xe8\\xf5}\\x00\\x00P\\x066\\xe8\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xdf\\xa7\\x86\\x01\\x00\\x00" } ], "repeated": 0, "id": 23935 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x186a44036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xa0\\x0b\\x00\\x00\\xa0\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x00G@\\xa4\\x86\\x01\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=@\\xa4\\x86\\x01\\x00\\x00@\\x04B\\x04\\x00\\x00\\x00\\x00\\xb2=@\\xa4\\x86\\x01\\x00\\x00\\xf0'@\\xa4\\x86\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xf4A@\\xa4\\x86\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00nB@\\xa4\\x86\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x8eB@\\xa4\\x86\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23936 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "BaseAddress", "value": "0x186a4403db2" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00n\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00-\\x00" } ], "repeated": 0, "id": 23937 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23938 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "764" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23939 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23940 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 23941 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x90+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x008\\x90+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x90+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xa7\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8dF\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23942 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 23943 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23944 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1180" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23945 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23946 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1180" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23947 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23948 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1180" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23949 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23950 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23951 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23952 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23953 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23954 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1180" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23955 }, { "timestamp": "2026-05-28 22:02:40,506", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 23956 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1180" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23957 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x4adb9bb000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf06@\\xb1\\xa8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x002\\xb1\\xa8\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\xb1\\xa8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\x1f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xbf\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xce\\xbf\\xf4}\\x00\\x00\\x00\\x00\\xe2\\xc1\\xf5}\\x00\\x00(\\x02\\xe3\\xc1\\xf5}\\x00\\x00P\\x06\\xe4\\xc1\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x9f\\xb2\\xa8\\x01\\x00\\x00" } ], "repeated": 0, "id": 23958 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x1a8b14036f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x0e\\x0c\\x00\\x00\\x0e\\x0c\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00pG@\\xb1\\xa8\\x01\\x00\\x00\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x008=@\\xb1\\xa8\\x01\\x00\\x00\\xae\\x04\\xb0\\x04\\x00\\x00\\x00\\x00\\xb2=@\\xb1\\xa8\\x01\\x00\\x00\\xf0'@\\xb1\\xa8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00bB@\\xb1\\xa8\\x01\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xdcB@\\xb1\\xa8\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xfcB@\\xb1\\xa8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23959 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x1a8b1403db2" }, { "name": "Size", "value": "0x000004ae" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00g\\x00p\\x00u\\x00-\\x00p\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00-\\x00-\\x00g\\x00p\\x00u\\x00-\\x00p\\x00r\\x00e\\x00f\\x00e\\x00r\\x00e\\x00n\\x00c\\x00e\\x00s\\x00=\\x00S\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00D\\x00g\\x00A\\x00A\\x00A\\x00E\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00A\\x00" } ], "repeated": 0, "id": 23960 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23961 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "1180" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23962 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23963 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 23964 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90[+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8[+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8[+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0F\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23965 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23966 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23967 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23968 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23969 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23970 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23971 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23972 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23973 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23974 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23975 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23976 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 23977 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23978 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23979 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23980 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x3e22c3c000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0,\\x001\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff0\\xc8\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf80\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4_\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xc4_\\xf4}\\x00\\x00\\x00\\x00\\xd8a\\xf5}\\x00\\x00(\\x02\\xd9a\\xf5}\\x00\\x00P\\x06\\xdaa\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23981 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x1c831002cc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xe8\\x0b\\x00\\x00\\xe8\\x0b\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00 =\\x001\\xc8\\x01\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x083\\x001\\xc8\\x01\\x00\\x00H\\x04J\\x04\\x00\\x00\\x00\\x00\\x823\\x001\\xc8\\x01\\x00\\x00\\xf0'\\x001\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\xcc7\\x001\\xc8\\x01\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00F8\\x001\\xc8\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xa68\\x001\\xc8\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23982 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x1c831003382" }, { "name": "Size", "value": "0x00000448" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00s\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00-\\x00" } ], "repeated": 0, "id": 23983 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23984 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "2660" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 23985 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23986 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 23987 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x90[+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8[+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8[+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xa9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0eG\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 23988 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 23989 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23990 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11124" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 23991 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23992 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11124" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 23993 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23994 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11124" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 23995 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 23996 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23997 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x0028c000" } ], "repeated": 0, "id": 23998 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251500002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 23999 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251500000" }, { "name": "RegionSize", "value": "0x0028c000" } ], "repeated": 0, "id": 24000 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11124" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24001 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24002 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11124" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24003 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0xcdc4b84000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xa9l\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00@7 IF\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1bIF\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15IF\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\xe7\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\x0c\\xe7\\xf4}\\x00\\x00\\x00\\x00 \\xe9\\xf5}\\x00\\x00(\\x02!\\xe9\\xf5}\\x00\\x00P\\x06\"\\xe9\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xa2IF\\x02\\x00\\x00" } ], "repeated": 0, "id": 24004 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x24649203740" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "&\r\\x00\\x00&\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xe0H IF\\x02\\x00\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00f\\x00\\x00\\x00\\x00\\x00\\x88= IF\\x02\\x00\\x00\\xa6\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\xee= IF\\x02\\x00\\x00\\x04\\x05\\x06\\x05\\x00\\x00\\x00\\x00\\x96> IF\\x02\\x00\\x00\\xf0' IF\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa6\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\x9cC IF\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00DD IF\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00dD IF\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24005 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x24649203e96" }, { "name": "Size", "value": "0x00000504" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x001\\x004\\x008\\x00.\\x000\\x00.\\x003\\x009\\x006\\x007\\x00.\\x008\\x003\\x00\\\\x00i\\x00d\\x00e\\x00n\\x00t\\x00i\\x00t\\x00y\\x00_\\x00h\\x00e\\x00l\\x00p\\x00e\\x00r\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00w\\x00i\\x00n\\x00r\\x00t\\x00_\\x00a\\x00p\\x00" } ], "repeated": 0, "id": 24006 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24007 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11124" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24008 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24009 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 24010 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xe0\\xdboT\\x92\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x80\\xdcoT\\x92\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xdcoT\\x92\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\xb4\\xddoT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xddoT\\x92\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xd0\\xddoT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xddoT\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8\\xddoT\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xdeoT\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xd0\\xdcoT\\x92\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00V\\xddoT\\x92\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\\\xddoT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 24011 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24012 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24013 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x00000ac2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 24014 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 24015 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 24016 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xb6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xc2\n\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x80\\xb7\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 24017 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 24018 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 24019 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000ac2" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 24020 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 24021 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ac2" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 24022 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 24023 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 24024 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ac2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000aba" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 24025 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000aba" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 24026 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aba" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 24027 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aba" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 24028 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aba" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 24029 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000aba" } ], "repeated": 0, "id": 24030 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 24031 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 24032 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xb5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xc2\n\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x10\\xb6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 24033 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 24034 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 24035 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000ac2" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 24036 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 24037 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 24038 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xb5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xc2\n\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x10\\xb6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 24039 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 24040 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ac2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 24041 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000ac2" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 24042 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28daa8f", "parentcaller": "0x7ff6c28c3815", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac2" } ], "repeated": 0, "id": 24043 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24044 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24045 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24046 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24047 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24048 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24049 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24050 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24051 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24052 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24053 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24054 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24055 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24056 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24057 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24058 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24059 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24060 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24061 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24062 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24063 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24064 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24065 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24066 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24067 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24068 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24069 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24070 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24071 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24072 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24073 }, { "timestamp": "2026-05-28 22:02:40,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24074 }, { "timestamp": "2026-05-28 22:02:40,771", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76f4c0" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 24075 }, { "timestamp": "2026-05-28 22:02:40,771", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 24076 }, { "timestamp": "2026-05-28 22:02:40,771", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000f03ec" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 24077 }, { "timestamp": "2026-05-28 22:02:40,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24078 }, { "timestamp": "2026-05-28 22:02:40,818", "thread_id": "1496", "caller": "0x7ff6c28f6c41", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 1, "id": 24079 }, { "timestamp": "2026-05-28 22:02:40,818", "thread_id": "1496", "caller": "0x7ff6c28f6c41", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x0000104e" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24080 }, { "timestamp": "2026-05-28 22:02:40,834", "thread_id": "1496", "caller": "0x7ff6c28f6c41", "parentcaller": "0x7ff6c28d6fb1", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76f140" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 24081 }, { "timestamp": "2026-05-28 22:02:40,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000f03ec" }, { "name": "Message", "value": "0x00000060" } ], "repeated": 0, "id": 24082 }, { "timestamp": "2026-05-28 22:02:40,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24083 }, { "timestamp": "2026-05-28 22:02:41,084", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254244800", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 24084 }, { "timestamp": "2026-05-28 22:02:41,084", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254243e10", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254244800" }, { "name": "ServiceName", "value": "MicrosoftEdgeElevationService" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 24085 }, { "timestamp": "2026-05-28 22:02:41,115", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254244800", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 24086 }, { "timestamp": "2026-05-28 22:02:41,115", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292542440b0", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254244800" }, { "name": "ServiceName", "value": "MicrosoftEdgeElevationService" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 24087 }, { "timestamp": "2026-05-28 22:02:41,287", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 4, "id": 24088 }, { "timestamp": "2026-05-28 22:02:41,365", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1115" }, { "name": "y", "value": "598" } ], "repeated": 0, "id": 24089 }, { "timestamp": "2026-05-28 22:02:41,396", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1114" }, { "name": "y", "value": "597" } ], "repeated": 0, "id": 24090 }, { "timestamp": "2026-05-28 22:02:41,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24091 }, { "timestamp": "2026-05-28 22:02:41,396", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1109" }, { "name": "y", "value": "596" } ], "repeated": 0, "id": 24092 }, { "timestamp": "2026-05-28 22:02:41,396", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24093 }, { "timestamp": "2026-05-28 22:02:41,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1109" }, { "name": "y", "value": "595" } ], "repeated": 0, "id": 24094 }, { "timestamp": "2026-05-28 22:02:41,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24095 }, { "timestamp": "2026-05-28 22:02:41,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1100" }, { "name": "y", "value": "588" } ], "repeated": 0, "id": 24096 }, { "timestamp": "2026-05-28 22:02:41,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1099" }, { "name": "y", "value": "586" } ], "repeated": 0, "id": 24097 }, { "timestamp": "2026-05-28 22:02:41,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24098 }, { "timestamp": "2026-05-28 22:02:41,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1093" }, { "name": "y", "value": "578" } ], "repeated": 0, "id": 24099 }, { "timestamp": "2026-05-28 22:02:41,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1092" }, { "name": "y", "value": "577" } ], "repeated": 0, "id": 24100 }, { "timestamp": "2026-05-28 22:02:41,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24101 }, { "timestamp": "2026-05-28 22:02:41,475", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1088" }, { "name": "y", "value": "573" } ], "repeated": 0, "id": 24102 }, { "timestamp": "2026-05-28 22:02:41,475", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24103 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24104 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x9c\\xc0\\xc1l\\x00\\x00\\x00\\x00\\x0e@[\\xd9d\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24105 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00C\\xcd#\\xff\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\q,\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\q,\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00ktt\\xbc$\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00t(\\x8d\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00A\\xf4\\x8f\\x04\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24106 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24107 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24108 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24109 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24110 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24111 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 24112 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24113 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 24114 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab4" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24115 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab4" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xdb\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xecq\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe7q\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe4!_\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00Y\\x83A\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00k\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24116 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab4" } ], "repeated": 0, "id": 24117 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xb6\\xb5x\\x00\\x00\\x00\\x00\\x00\\x88s\\x0c\\x00\\x00\\x00\\x00I\\x07\\xbe \\x00\\x00\\x00\\x00\\x16\\x12\\x03\\x16\\x00\\x00\\x00\\x00\\xa0R\\x19.\\x00\\x00\\x00\\x00\\x03w\\x00\\x00\\xa6\\x11\\x00\\x00\\x03\\x00\\x00\\x00\\xee\\x04\\x00\\x00U\\xbe\\\\xb4\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24118 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24119 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24120 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24121 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24122 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24123 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xf2(\\x01m\\x00\\x00\\x00\\x00\\xa2\\xfd\\x9a\\xd9d\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24124 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24125 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 24126 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xa2\\x89\\xaf\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x18\\xe2$\\xff\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00!t,\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc5\\x08\\x91\\x04\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00$t,\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24127 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "1496", "caller": "0x7ff6c2958576", "parentcaller": "0x7ff6c2957a42", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24128 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x80\\x9b\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xbeQ\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24129 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24130 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24131 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24132 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24133 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24134 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24135 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24136 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24137 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24138 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24139 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24140 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24141 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24142 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24143 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24144 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24145 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24146 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24147 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24148 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24149 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24150 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24151 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24152 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24153 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24154 }, { "timestamp": "2026-05-28 22:02:41,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24155 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24156 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24157 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24158 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24159 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1087" }, { "name": "y", "value": "573" } ], "repeated": 0, "id": 24160 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24161 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1084" }, { "name": "y", "value": "570" } ], "repeated": 0, "id": 24162 }, { "timestamp": "2026-05-28 22:02:41,506", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24163 }, { "timestamp": "2026-05-28 22:02:41,537", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1079" }, { "name": "y", "value": "564" } ], "repeated": 1, "id": 24164 }, { "timestamp": "2026-05-28 22:02:41,537", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24165 }, { "timestamp": "2026-05-28 22:02:41,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1078" }, { "name": "y", "value": "564" } ], "repeated": 0, "id": 24166 }, { "timestamp": "2026-05-28 22:02:41,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24167 }, { "timestamp": "2026-05-28 22:02:41,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1063" }, { "name": "y", "value": "555" } ], "repeated": 0, "id": 24168 }, { "timestamp": "2026-05-28 22:02:41,584", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24169 }, { "timestamp": "2026-05-28 22:02:41,584", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1060" }, { "name": "y", "value": "552" } ], "repeated": 0, "id": 24170 }, { "timestamp": "2026-05-28 22:02:41,584", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24171 }, { "timestamp": "2026-05-28 22:02:41,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1057" }, { "name": "y", "value": "549" } ], "repeated": 0, "id": 24172 }, { "timestamp": "2026-05-28 22:02:41,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24173 }, { "timestamp": "2026-05-28 22:02:41,615", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1049" }, { "name": "y", "value": "539" } ], "repeated": 0, "id": 24174 }, { "timestamp": "2026-05-28 22:02:41,615", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24175 }, { "timestamp": "2026-05-28 22:02:41,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1047" }, { "name": "y", "value": "538" } ], "repeated": 0, "id": 24176 }, { "timestamp": "2026-05-28 22:02:41,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24177 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1045" }, { "name": "y", "value": "536" } ], "repeated": 0, "id": 24178 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24179 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1037" }, { "name": "y", "value": "533" } ], "repeated": 0, "id": 24180 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24181 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1034" }, { "name": "y", "value": "530" } ], "repeated": 0, "id": 24182 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24183 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1028" }, { "name": "y", "value": "528" } ], "repeated": 0, "id": 24184 }, { "timestamp": "2026-05-28 22:02:41,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24185 }, { "timestamp": "2026-05-28 22:02:41,865", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1021" }, { "name": "y", "value": "525" } ], "repeated": 0, "id": 24186 }, { "timestamp": "2026-05-28 22:02:41,865", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24187 }, { "timestamp": "2026-05-28 22:02:41,865", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1018" }, { "name": "y", "value": "523" } ], "repeated": 0, "id": 24188 }, { "timestamp": "2026-05-28 22:02:41,865", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24189 }, { "timestamp": "2026-05-28 22:02:41,865", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1017" }, { "name": "y", "value": "520" } ], "repeated": 0, "id": 24190 }, { "timestamp": "2026-05-28 22:02:41,865", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24191 }, { "timestamp": "2026-05-28 22:02:41,912", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1013" }, { "name": "y", "value": "507" } ], "repeated": 1, "id": 24192 }, { "timestamp": "2026-05-28 22:02:41,912", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24193 }, { "timestamp": "2026-05-28 22:02:41,943", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1006" }, { "name": "y", "value": "504" } ], "repeated": 0, "id": 24194 }, { "timestamp": "2026-05-28 22:02:41,943", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24195 }, { "timestamp": "2026-05-28 22:02:41,943", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1006" }, { "name": "y", "value": "503" } ], "repeated": 0, "id": 24196 }, { "timestamp": "2026-05-28 22:02:41,959", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24197 }, { "timestamp": "2026-05-28 22:02:41,959", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1000" }, { "name": "y", "value": "502" } ], "repeated": 0, "id": 24198 }, { "timestamp": "2026-05-28 22:02:41,959", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24199 }, { "timestamp": "2026-05-28 22:02:41,975", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24200 }, { "timestamp": "2026-05-28 22:02:41,975", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24201 }, { "timestamp": "2026-05-28 22:02:41,975", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6f98", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 24202 }, { "timestamp": "2026-05-28 22:02:41,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1000" }, { "name": "y", "value": "502" } ], "repeated": 0, "id": 24203 }, { "timestamp": "2026-05-28 22:02:41,990", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24204 }, { "timestamp": "2026-05-28 22:02:41,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "999" }, { "name": "y", "value": "501" } ], "repeated": 0, "id": 24205 }, { "timestamp": "2026-05-28 22:02:41,990", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24206 }, { "timestamp": "2026-05-28 22:02:41,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "984" }, { "name": "y", "value": "499" } ], "repeated": 0, "id": 24207 }, { "timestamp": "2026-05-28 22:02:41,990", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24208 }, { "timestamp": "2026-05-28 22:02:42,021", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "981" }, { "name": "y", "value": "499" } ], "repeated": 0, "id": 24209 }, { "timestamp": "2026-05-28 22:02:42,021", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24210 }, { "timestamp": "2026-05-28 22:02:42,021", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "969" }, { "name": "y", "value": "499" } ], "repeated": 0, "id": 24211 }, { "timestamp": "2026-05-28 22:02:42,021", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24212 }, { "timestamp": "2026-05-28 22:02:42,053", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "968" }, { "name": "y", "value": "499" } ], "repeated": 0, "id": 24213 }, { "timestamp": "2026-05-28 22:02:42,053", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24214 }, { "timestamp": "2026-05-28 22:02:42,053", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "960" }, { "name": "y", "value": "501" } ], "repeated": 0, "id": 24215 }, { "timestamp": "2026-05-28 22:02:42,053", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24216 }, { "timestamp": "2026-05-28 22:02:42,084", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "957" }, { "name": "y", "value": "501" } ], "repeated": 1, "id": 24217 }, { "timestamp": "2026-05-28 22:02:42,084", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24218 }, { "timestamp": "2026-05-28 22:02:42,115", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "955" }, { "name": "y", "value": "501" } ], "repeated": 0, "id": 24219 }, { "timestamp": "2026-05-28 22:02:42,115", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24220 }, { "timestamp": "2026-05-28 22:02:42,115", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "949" }, { "name": "y", "value": "501" } ], "repeated": 0, "id": 24221 }, { "timestamp": "2026-05-28 22:02:42,115", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24222 }, { "timestamp": "2026-05-28 22:02:42,146", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "948" }, { "name": "y", "value": "501" } ], "repeated": 0, "id": 24223 }, { "timestamp": "2026-05-28 22:02:42,146", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24224 }, { "timestamp": "2026-05-28 22:02:42,146", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "933" }, { "name": "y", "value": "499" } ], "repeated": 0, "id": 24225 }, { "timestamp": "2026-05-28 22:02:42,146", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24226 }, { "timestamp": "2026-05-28 22:02:42,178", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "908" }, { "name": "y", "value": "492" } ], "repeated": 1, "id": 24227 }, { "timestamp": "2026-05-28 22:02:42,178", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24228 }, { "timestamp": "2026-05-28 22:02:42,209", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "905" }, { "name": "y", "value": "492" } ], "repeated": 0, "id": 24229 }, { "timestamp": "2026-05-28 22:02:42,209", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24230 }, { "timestamp": "2026-05-28 22:02:42,225", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "884" }, { "name": "y", "value": "486" } ], "repeated": 0, "id": 24231 }, { "timestamp": "2026-05-28 22:02:42,225", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24232 }, { "timestamp": "2026-05-28 22:02:42,225", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24233 }, { "timestamp": "2026-05-28 22:02:42,256", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "881" }, { "name": "y", "value": "485" } ], "repeated": 0, "id": 24234 }, { "timestamp": "2026-05-28 22:02:42,256", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "856" }, { "name": "y", "value": "477" } ], "repeated": 0, "id": 24235 }, { "timestamp": "2026-05-28 22:02:42,256", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24236 }, { "timestamp": "2026-05-28 22:02:42,287", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "818" }, { "name": "y", "value": "463" } ], "repeated": 0, "id": 24237 }, { "timestamp": "2026-05-28 22:02:42,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "810" }, { "name": "y", "value": "461" } ], "repeated": 0, "id": 24238 }, { "timestamp": "2026-05-28 22:02:42,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "766" }, { "name": "y", "value": "448" } ], "repeated": 0, "id": 24239 }, { "timestamp": "2026-05-28 22:02:42,318", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24240 }, { "timestamp": "2026-05-28 22:02:42,318", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24241 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "760" }, { "name": "y", "value": "446" } ], "repeated": 0, "id": 24242 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24243 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24244 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24245 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "708" }, { "name": "y", "value": "434" } ], "repeated": 0, "id": 24246 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24247 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24248 }, { "timestamp": "2026-05-28 22:02:42,350", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24249 }, { "timestamp": "2026-05-28 22:02:42,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "675" }, { "name": "y", "value": "430" } ], "repeated": 0, "id": 24250 }, { "timestamp": "2026-05-28 22:02:42,381", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24251 }, { "timestamp": "2026-05-28 22:02:42,381", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24252 }, { "timestamp": "2026-05-28 22:02:42,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "675" }, { "name": "y", "value": "430" } ], "repeated": 0, "id": 24253 }, { "timestamp": "2026-05-28 22:02:42,381", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24254 }, { "timestamp": "2026-05-28 22:02:42,381", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24255 }, { "timestamp": "2026-05-28 22:02:42,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24256 }, { "timestamp": "2026-05-28 22:02:42,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "673" }, { "name": "y", "value": "429" } ], "repeated": 0, "id": 24257 }, { "timestamp": "2026-05-28 22:02:42,428", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24258 }, { "timestamp": "2026-05-28 22:02:42,428", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24259 }, { "timestamp": "2026-05-28 22:02:42,428", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "650" }, { "name": "y", "value": "426" } ], "repeated": 0, "id": 24260 }, { "timestamp": "2026-05-28 22:02:42,428", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24261 }, { "timestamp": "2026-05-28 22:02:42,428", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24262 }, { "timestamp": "2026-05-28 22:02:42,428", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24263 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "646" }, { "name": "y", "value": "426" } ], "repeated": 0, "id": 24264 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24265 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24266 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24267 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "631" }, { "name": "y", "value": "425" } ], "repeated": 0, "id": 24268 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24269 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24270 }, { "timestamp": "2026-05-28 22:02:42,459", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24271 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24272 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "622" }, { "name": "y", "value": "424" } ], "repeated": 0, "id": 24273 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24274 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24275 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xf0\\xd8!m\\x00\\x00\\x00\\x00D\\xf9G\\xb5e\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24276 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x17H\\xde\\x02\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd4\\xfc5\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xd4\\xfc5\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00n\\x94\\xe2E%\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xec\\xb3\\x96\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x02qJ\\x08\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24277 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24278 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24279 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24280 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24281 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24282 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24283 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24284 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24285 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24286 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe1\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xf3q\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xeeq\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xfb#_\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa6\\x85A\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00l\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24287 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24288 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xb6\\xd5x\\x00\\x00\\x00\\x00\\x00\\xa8\\x86\\x0c\\x00\\x00\\x00\\x00\\x85\\x80\\xbe \\x00\\x00\\x00\\x00\\x0f\\x82)\\x16\\x00\\x00\\x00\\x00\\xa0\\xb5\\x9a.\\x00\\x00\\x00\\x00\\x07w\\x00\\x00\\xd1\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\xf6\\x04\\x00\\x00\\xcfp\\xf5\\xb4\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24289 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24290 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24291 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24292 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24293 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24294 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "8604", "caller": "0x7ff6c28f9829", "parentcaller": "0x7ff6c28d8f00", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004e1" } ], "repeated": 0, "id": 24295 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "Bafm\\x00\\x00\\x00\\x00\\xbe\\xd3\\x92\\xb5e\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24296 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 1, "id": 24297 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xa2\\x89\\xaf\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x19\\x97\\xdf\\x02\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00.\\x006\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa7\\xbdK\\x08\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x001\\x006\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24298 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x80\\xbb\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xa8d\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24299 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24300 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24301 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24302 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24303 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24304 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24305 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24306 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24307 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24308 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24309 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24310 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24311 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24312 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24313 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24314 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24315 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24316 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24317 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24318 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24319 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24320 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24321 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24322 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24323 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24324 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24325 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24326 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24327 }, { "timestamp": "2026-05-28 22:02:42,490", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24328 }, { "timestamp": "2026-05-28 22:02:42,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24329 }, { "timestamp": "2026-05-28 22:02:42,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "621" }, { "name": "y", "value": "423" } ], "repeated": 0, "id": 24330 }, { "timestamp": "2026-05-28 22:02:42,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24331 }, { "timestamp": "2026-05-28 22:02:42,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24332 }, { "timestamp": "2026-05-28 22:02:42,521", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "609" }, { "name": "y", "value": "419" } ], "repeated": 0, "id": 24333 }, { "timestamp": "2026-05-28 22:02:42,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24334 }, { "timestamp": "2026-05-28 22:02:42,521", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24335 }, { "timestamp": "2026-05-28 22:02:42,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24336 }, { "timestamp": "2026-05-28 22:02:42,553", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "609" }, { "name": "y", "value": "419" } ], "repeated": 0, "id": 24337 }, { "timestamp": "2026-05-28 22:02:42,553", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24338 }, { "timestamp": "2026-05-28 22:02:42,553", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24339 }, { "timestamp": "2026-05-28 22:02:42,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24340 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "605" }, { "name": "y", "value": "418" } ], "repeated": 0, "id": 24341 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24342 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24343 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24344 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "586" }, { "name": "y", "value": "411" } ], "repeated": 0, "id": 24345 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24346 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24347 }, { "timestamp": "2026-05-28 22:02:42,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24348 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "584" }, { "name": "y", "value": "410" } ], "repeated": 0, "id": 24349 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24350 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24351 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "557" }, { "name": "y", "value": "402" } ], "repeated": 0, "id": 24352 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24353 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24354 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24355 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "554" }, { "name": "y", "value": "402" } ], "repeated": 0, "id": 24356 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24357 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24358 }, { "timestamp": "2026-05-28 22:02:42,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24359 }, { "timestamp": "2026-05-28 22:02:42,646", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "541" }, { "name": "y", "value": "398" } ], "repeated": 0, "id": 24360 }, { "timestamp": "2026-05-28 22:02:42,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001016" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24361 }, { "timestamp": "2026-05-28 22:02:42,646", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00001018" }, { "name": "uiParam", "value": "0x00000000" } ], "repeated": 0, "id": 24362 }, { "timestamp": "2026-05-28 22:02:42,646", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24363 }, { "timestamp": "2026-05-28 22:02:42,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "540" }, { "name": "y", "value": "397" } ], "repeated": 0, "id": 24364 }, { "timestamp": "2026-05-28 22:02:42,678", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "534" }, { "name": "y", "value": "396" } ], "repeated": 0, "id": 24365 }, { "timestamp": "2026-05-28 22:02:42,678", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24366 }, { "timestamp": "2026-05-28 22:02:42,693", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "534" }, { "name": "y", "value": "396" } ], "repeated": 0, "id": 24367 }, { "timestamp": "2026-05-28 22:02:42,693", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24368 }, { "timestamp": "2026-05-28 22:02:42,709", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "533" }, { "name": "y", "value": "396" } ], "repeated": 0, "id": 24369 }, { "timestamp": "2026-05-28 22:02:42,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24370 }, { "timestamp": "2026-05-28 22:02:42,709", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "526" }, { "name": "y", "value": "393" } ], "repeated": 0, "id": 24371 }, { "timestamp": "2026-05-28 22:02:42,709", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24372 }, { "timestamp": "2026-05-28 22:02:42,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "525" }, { "name": "y", "value": "392" } ], "repeated": 0, "id": 24373 }, { "timestamp": "2026-05-28 22:02:42,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24374 }, { "timestamp": "2026-05-28 22:02:42,740", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "519" }, { "name": "y", "value": "389" } ], "repeated": 0, "id": 24375 }, { "timestamp": "2026-05-28 22:02:42,740", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24376 }, { "timestamp": "2026-05-28 22:02:42,771", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "518" }, { "name": "y", "value": "389" } ], "repeated": 0, "id": 24377 }, { "timestamp": "2026-05-28 22:02:42,771", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24378 }, { "timestamp": "2026-05-28 22:02:42,771", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "511" }, { "name": "y", "value": "384" } ], "repeated": 0, "id": 24379 }, { "timestamp": "2026-05-28 22:02:42,771", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24380 }, { "timestamp": "2026-05-28 22:02:42,803", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "503" }, { "name": "y", "value": "381" } ], "repeated": 0, "id": 24381 }, { "timestamp": "2026-05-28 22:02:42,803", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24382 }, { "timestamp": "2026-05-28 22:02:42,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "500" }, { "name": "y", "value": "379" } ], "repeated": 1, "id": 24383 }, { "timestamp": "2026-05-28 22:02:42,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24384 }, { "timestamp": "2026-05-28 22:02:42,834", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "496" }, { "name": "y", "value": "377" } ], "repeated": 0, "id": 24385 }, { "timestamp": "2026-05-28 22:02:42,834", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24386 }, { "timestamp": "2026-05-28 22:02:42,865", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "495" }, { "name": "y", "value": "377" } ], "repeated": 0, "id": 24387 }, { "timestamp": "2026-05-28 22:02:42,865", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24388 }, { "timestamp": "2026-05-28 22:02:42,865", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "492" }, { "name": "y", "value": "375" } ], "repeated": 0, "id": 24389 }, { "timestamp": "2026-05-28 22:02:42,865", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24390 }, { "timestamp": "2026-05-28 22:02:42,896", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "491" }, { "name": "y", "value": "375" } ], "repeated": 0, "id": 24391 }, { "timestamp": "2026-05-28 22:02:42,896", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24392 }, { "timestamp": "2026-05-28 22:02:42,896", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "489" }, { "name": "y", "value": "374" } ], "repeated": 0, "id": 24393 }, { "timestamp": "2026-05-28 22:02:42,928", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "486" }, { "name": "y", "value": "372" } ], "repeated": 1, "id": 24394 }, { "timestamp": "2026-05-28 22:02:42,928", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24395 }, { "timestamp": "2026-05-28 22:02:42,959", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "486" }, { "name": "y", "value": "371" } ], "repeated": 0, "id": 24396 }, { "timestamp": "2026-05-28 22:02:42,959", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24397 }, { "timestamp": "2026-05-28 22:02:42,959", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "485" }, { "name": "y", "value": "371" } ], "repeated": 0, "id": 24398 }, { "timestamp": "2026-05-28 22:02:42,959", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24399 }, { "timestamp": "2026-05-28 22:02:42,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "485" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 24400 }, { "timestamp": "2026-05-28 22:02:42,990", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "484" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 24401 }, { "timestamp": "2026-05-28 22:02:42,990", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24402 }, { "timestamp": "2026-05-28 22:02:43,068", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "484" }, { "name": "y", "value": "370" } ], "repeated": 0, "id": 24403 }, { "timestamp": "2026-05-28 22:02:43,068", "thread_id": "1496", "caller": "0x7ff6c290f575", "parentcaller": "0x7ff6c292e393", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2925430c000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24404 }, { "timestamp": "2026-05-28 22:02:43,084", "thread_id": "1496", "caller": "0x7ff6c28c14f5", "parentcaller": "0x7ff6c28eeefd", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 0, "id": 24405 }, { "timestamp": "2026-05-28 22:02:43,084", "thread_id": "1496", "caller": "0x7ff6c28c14f5", "parentcaller": "0x7ff6c28eeefd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251510000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24406 }, { "timestamp": "2026-05-28 22:02:43,084", "thread_id": "1496", "caller": "0x7ff6c28c14f5", "parentcaller": "0x7ff6c28eeefd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251510000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24407 }, { "timestamp": "2026-05-28 22:02:43,193", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29254f03000" }, { "name": "RegionSize", "value": "0x0001e000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24408 }, { "timestamp": "2026-05-28 22:02:43,225", "thread_id": "1496", "caller": "0x7ff6c28da4af", "parentcaller": "0x7ff6c28cd4b8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255001000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24409 }, { "timestamp": "2026-05-28 22:02:43,240", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255025000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24410 }, { "timestamp": "2026-05-28 22:02:43,240", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292ec05", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255063000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24411 }, { "timestamp": "2026-05-28 22:02:43,240", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255068000" }, { "name": "RegionSize", "value": "0x00021000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24412 }, { "timestamp": "2026-05-28 22:02:43,256", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255089000" }, { "name": "RegionSize", "value": "0x00043000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24413 }, { "timestamp": "2026-05-28 22:02:43,256", "thread_id": "1496", "caller": "0x7ff6c28cd4b8", "parentcaller": "0x7ff6c292e918", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550c9000" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24414 }, { "timestamp": "2026-05-28 22:02:43,287", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550cc000" }, { "name": "RegionSize", "value": "0x0000b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24415 }, { "timestamp": "2026-05-28 22:02:43,287", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550d7000" }, { "name": "RegionSize", "value": "0x00015000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24416 }, { "timestamp": "2026-05-28 22:02:43,303", "thread_id": "1496", "caller": "0x7ff6c28d33af", "parentcaller": "0x7ff6c290f627", "category": "misc", "api": "SystemParametersInfoW", "status": true, "return": "0x00000001", "arguments": [ { "name": "Action", "value": "0x00000042" }, { "name": "uiParam", "value": "0x00000010" } ], "repeated": 8, "id": 24417 }, { "timestamp": "2026-05-28 22:02:43,303", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "522" }, { "name": "y", "value": "390" } ], "repeated": 0, "id": 24418 }, { "timestamp": "2026-05-28 22:02:43,303", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0xf09d76f620" }, { "name": "EventName", "value": "Local\\1ImmersiveFocusTrackingActiveEvent" } ], "repeated": 0, "id": 24419 }, { "timestamp": "2026-05-28 22:02:43,303", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "522" }, { "name": "y", "value": "390" } ], "repeated": 1, "id": 24420 }, { "timestamp": "2026-05-28 22:02:43,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "535" }, { "name": "y", "value": "397" } ], "repeated": 0, "id": 24421 }, { "timestamp": "2026-05-28 22:02:43,318", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "642" }, { "name": "y", "value": "463" } ], "repeated": 0, "id": 24422 }, { "timestamp": "2026-05-28 22:02:43,318", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550ec000" }, { "name": "RegionSize", "value": "0x00024000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24423 }, { "timestamp": "2026-05-28 22:02:43,318", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255110000" }, { "name": "RegionSize", "value": "0x00047000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24424 }, { "timestamp": "2026-05-28 22:02:43,318", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255157000" }, { "name": "RegionSize", "value": "0x0008d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24425 }, { "timestamp": "2026-05-28 22:02:43,318", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550cb000" }, { "name": "RegionSize", "value": "0x00324000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 24426 }, { "timestamp": "2026-05-28 22:02:43,334", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "642" }, { "name": "y", "value": "463" } ], "repeated": 0, "id": 24427 }, { "timestamp": "2026-05-28 22:02:43,334", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24428 }, { "timestamp": "2026-05-28 22:02:43,350", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "663" }, { "name": "y", "value": "477" } ], "repeated": 0, "id": 24429 }, { "timestamp": "2026-05-28 22:02:43,350", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550cb000" }, { "name": "RegionSize", "value": "0x00024000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24430 }, { "timestamp": "2026-05-28 22:02:43,350", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292550ef000" }, { "name": "RegionSize", "value": "0x00047000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24431 }, { "timestamp": "2026-05-28 22:02:43,350", "thread_id": "1496", "caller": "0x7ff6c28d6f98", "parentcaller": "0x7ff6c28e0076", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29255136000" }, { "name": "RegionSize", "value": "0x0008d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24432 }, { "timestamp": "2026-05-28 22:02:43,350", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "856" }, { "name": "y", "value": "597" } ], "repeated": 0, "id": 24433 }, { "timestamp": "2026-05-28 22:02:43,381", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "1120" }, { "name": "y", "value": "727" } ], "repeated": 0, "id": 24434 }, { "timestamp": "2026-05-28 22:02:43,381", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24435 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24436 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x08\\x0f\\x80m\\x00\\x00\\x00\\x00:M\\x17\\x92f\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24437 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb9,\\x9d\\x06\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x98\\x93?\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x98\\x93?\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x009a\\xf3\\xcf%\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xb0J\\xa0\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00yU\t\\x0c\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24438 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24439 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24440 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24441 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24442 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24443 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24444 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24445 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24446 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24447 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24448 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe8\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xfbq\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf6q\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x005&_\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00B\\x88A\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24449 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24450 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24451 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xb6\\xe5x\\x00\\x00\\x00\\x00\\x00\\xa8\\x8b\\x0c\\x00\\x00\\x00\\x00\\xc9R\\xbf \\x00\\x00\\x00\\x00\\x1cV,\\x16\\x00\\x00\\x00\\x00fW./\\x00\\x00\\x00\\x00\tw\\x00\\x00\\x02\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\x04\\x00\\x00\\x8c\\xf6\\x8e\\xb5\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24452 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24453 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24454 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00A\\xd6\\x9d\\x06\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00J\\x95?\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x003\\xfd\t\\x0c\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00N\\x95?\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24455 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24456 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x80\\xcb\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xa8i\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24457 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24458 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24459 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24460 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24461 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24462 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24463 }, { "timestamp": "2026-05-28 22:02:43,490", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24464 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24465 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24466 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24467 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24468 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24469 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24470 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24471 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24472 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24473 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24474 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24475 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24476 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24477 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24478 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24479 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24480 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24481 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24482 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24483 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24484 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24485 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24486 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24487 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24488 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24489 }, { "timestamp": "2026-05-28 22:02:43,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24490 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "B\\xf8\\xe3m\\x00\\x00\\x00\\x00\\x14r\\xeejg\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24491 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe1\\x07J\n\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x000\\xfcH\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x000\\xfcH\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xb0UkW&\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00G\\xb3\\xa9\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd30\\xb6\\x0f\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24492 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24493 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24494 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24495 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24496 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24497 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24498 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24499 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24500 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24501 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xf0\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x05r\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xa6(_\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x89\\x8fA\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00n\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24502 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24503 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xb6\\xe5x\\x00\\x00\\x00\\x00\\x00\\xfa\\x9e\\x0c\\x00\\x00\\x00\\x00\\xc9R\\xbf \\x00\\x00\\x00\\x00\\x18j?\\x16\\x00\\x00\\x00\\x00\\xde\\xea\\xb8/\\x00\\x00\\x00\\x00\tw\\x00\\x00\n\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\x04\\x00\\x00\\x14c%\\xb6\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24504 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24505 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24506 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24507 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24508 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24509 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "Z\\xf0&n\\x00\\x00\\x00\\x00\\xb6\\xf85kg\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24510 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24511 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xfe\\x10K\n\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd6\\xfeH\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x0048\\xb7\\x0f\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xdb\\xfeH\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24512 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x80\\xcb\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xfa|\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24513 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24514 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24515 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24516 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24517 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24518 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24519 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24520 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24521 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24522 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24523 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24524 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24525 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24526 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24527 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24528 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24529 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24530 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24531 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24532 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24533 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24534 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24535 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24536 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24537 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24538 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24539 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24540 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24541 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24542 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24543 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24544 }, { "timestamp": "2026-05-28 22:02:44,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24545 }, { "timestamp": "2026-05-28 22:02:44,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24546 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xf8\\xe5Jn\\x00\\x00\\x00\\x00d|\\x9cFh\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24547 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00eE\\x03\\x0e\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00{\\x84R\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00{\\x84R\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xab\\xc5\\xab\\xe0&\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x93;\\xb3\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00plo\\x13\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24548 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24549 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24550 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24551 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24552 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24553 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24554 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24555 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24556 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24557 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00z\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xb3r\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xaer\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x004\\xd3_\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00J(C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00o\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24558 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24559 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00J\\xebx\\x00\\x00\\x00\\x00\\x00N\\xb4\\x0c\\x00\\x00\\x00\\x00\\xb02\\xc0 \\x00\\x00\\x00\\x00\\xe85H\\x16\\x00\\x00\\x00\\x00\\xd4\\xd7G0\\x00\\x00\\x00\\x00\\x14w\\x00\\x00\\x0e\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\xd8\\xf0\\xbd\\xb6\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24560 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24561 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24562 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24563 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24564 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24565 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xc0\\xc8\\x8bn\\x00\\x00\\x00\\x00D\r\\xdeFh\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24566 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24567 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xfam\\x04\\x0e\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00r\\x87R\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdf\\x94p\\x13\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00v\\x87R\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24568 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x14\\xd1\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00N\\x92\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24569 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24570 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24571 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24572 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" } ], "repeated": 0, "id": 24573 }, { "timestamp": "2026-05-28 22:02:45,490", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24574 }, { "timestamp": "2026-05-28 22:02:45,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24575 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9856" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24576 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24577 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9856" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24578 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24579 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9856" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24580 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24581 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251610002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 24582 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251610000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 24583 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251610002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 24584 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251610000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 24585 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9856" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24586 }, { "timestamp": "2026-05-28 22:02:45,521", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24587 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9856" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24588 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0xc488559000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0,\\x00\\xef\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xee\\x08\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xee\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07k\\\\xf4}\\x00\\x00\\x00\\x00\\x7f^\\xf5}\\x00\\x00(\\x02\\x80^\\xf5}\\x00\\x00P\\x06\\x81^\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24589 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x208ef002cc0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\x8c\\x0c\\x00\\x00\\x8c\\x0c\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xc0=\\x00\\xef\\x08\\x02\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00\\x083\\x00\\xef\\x08\\x02\\x00\\x00\\xec\\x04\\xee\\x04\\x00\\x00\\x00\\x00\\x823\\x00\\xef\\x08\\x02\\x00\\x00\\xf0'\\x00\\xef\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00p8\\x00\\xef\\x08\\x02\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00\\xea8\\x00\\xef\\x08\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00J9\\x00\\xef\\x08\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24590 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x208ef003382" }, { "name": "Size", "value": "0x000004ec" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00 \\x00-\\x00-\\x00u\\x00t\\x00i\\x00l\\x00i\\x00t\\x00y\\x00-\\x00s\\x00u\\x00b\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00e\\x00n\\x00t\\x00i\\x00t\\x00y\\x00_\\x00e\\x00x\\x00t\\x00r\\x00a\\x00c\\x00t\\x00i\\x00o\\x00n\\x00_\\x00s\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00.\\x00m\\x00o\\x00j\\x00o\\x00m\\x00" } ], "repeated": 0, "id": 24591 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24592 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9856" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24593 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24594 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 24595 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\xb7+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x98\\xb7+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xb7+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xaf\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x8d\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24596 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24597 }, { "timestamp": "2026-05-28 22:02:45,537", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24598 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10572" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24599 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24600 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10572" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24601 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24602 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10572" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24603 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24604 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251610002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 24605 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251610000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 24606 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251610002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 24607 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251610000" }, { "name": "RegionSize", "value": "0x00505000" } ], "repeated": 0, "id": 24608 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10572" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24609 }, { "timestamp": "2026-05-28 22:02:45,553", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24610 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10572" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24611 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0xe45a184000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00u4\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb4\\x85\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb6\\x85\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00/J\\xf5}\\x00\\x00(\\x020J\\xf5}\\x00\\x00P\\x061J\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24612 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x1f685b40000" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "L\r\\x00\\x00L\r\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x08\\x02\\x00\\x00\\x00\\x00@\\x04\\xb4\\x85\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00H\\x06\\xb4\\x85\\xf6\\x01\\x00\\x00\\xac\\x05\\xae\\x05\\x00\\x00\\x00\\x00\\xc2\\x06\\xb4\\x85\\xf6\\x01\\x00\\x00L\r\\xb4\\x85\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x00z\\x00\\x00\\x00\\x00\\x00p\\x0c\\xb4\\x85\\xf6\\x01\\x00\\x00^\\x00`\\x00\\x00\\x00\\x00\\x00\\xea\\x0c\\xb4\\x85\\xf6\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00J\r\\xb4\\x85\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24613 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "BaseAddress", "value": "0x1f685b406c2" }, { "name": "Size", "value": "0x000005ac" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00\\\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\\\x00m\\x00s\\x00e\\x00d\\x00g\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00-\\x00-\\x00t\\x00y\\x00p\\x00e\\x00=\\x00r\\x00e\\x00n\\x00d\\x00e\\x00r\\x00e\\x00r\\x00 \\x00-\\x00-\\x00i\\x00n\\x00s\\x00t\\x00a\\x00n\\x00t\\x00-\\x00p\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00 \\x00-\\x00-\\x00p\\x00d\\x00f\\x00-\\x00u\\x00p\\x00s\\x00e\\x00l\\x00l\\x00-\\x00e\\x00n\\x00a\\x00b\\x00l\\x00e\\x00d\\x00 \\x00-\\x00-\\x00v\\x00i\\x00d\\x00e\\x00o\\x00-\\x00c\\x00a\\x00" } ], "repeated": 0, "id": 24614 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24615 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10572" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24616 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24617 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 24618 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xc0\\xa3+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xe8\\xa3+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\xa4+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xae\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf9\\x8c\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24619 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24620 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24621 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24622 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24623 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24624 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24625 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24626 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24627 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24628 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24629 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24630 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24631 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24632 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24633 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24634 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24635 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24636 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24637 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24638 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24639 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24640 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24641 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24642 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24643 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24644 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24645 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24646 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24647 }, { "timestamp": "2026-05-28 22:02:45,600", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24648 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "$\\xab6o\\x00\\x00\\x00\\x00\\xc0m[\"i\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24649 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xaf\r\\xbd\\x11\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00*\\x0e\\\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00*\\x0e\\\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xb20\\x00j'\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00B\\xc5\\xbc\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00V6)\\x17\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24650 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24651 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24652 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24653 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24654 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24655 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24656 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24657 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24658 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24659 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x90\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xcar\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc5r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00u>a\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x9b.C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00p\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24660 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24661 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00J\\xebx\\x00\\x00\\x00\\x00\\x00n\\xc4\\x0c\\x00\\x00\\x00\\x00\\xb02\\xc0 \\x00\\x00\\x00\\x00\\xf9\\x14Q\\x16\\x00\\x00\\x00\\x00\\x16\\x92\\xd70\\x00\\x00\\x00\\x00\\x14w\\x00\\x00\\x12\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00,\\x8cV\\xb7\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24662 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24663 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24664 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24665 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24666 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24667 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb6\\x8fvo\\x00\\x00\\x00\\x00\\xfa\\xf7\\x9c\"i\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24668 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24669 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xac0\\xbe\\x11\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x13\\x11\\\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd6W*\\x17\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x18\\x11\\\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24670 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x14\\xd1\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00n\\xa2\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24671 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24672 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24673 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24674 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24675 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24676 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24677 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24678 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24679 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24680 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24681 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24682 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24683 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24684 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24685 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24686 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24687 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24688 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24689 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24690 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24691 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24692 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24693 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24694 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24695 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24696 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24697 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24698 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24699 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24700 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24701 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24702 }, { "timestamp": "2026-05-28 22:02:46,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24703 }, { "timestamp": "2026-05-28 22:02:46,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24704 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x90\\xda\\x99o\\x00\\x00\\x00\\x00\\x04%\\x7f\\x01j\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24705 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x18\\x81\\x85\\x15\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00f\\xbde\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00f\\xbde\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xb4Iq\\xf5'\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00~t\\xc6\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xeb\\xa9\\xf1\\x1a\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24706 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24707 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24708 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24709 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24710 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24711 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 24712 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24713 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 24714 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24715 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac4" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x97\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xd2r\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xcdr\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd4@a\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xbe6C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00q\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24716 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 24717 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00J\\xfbx\\x00\\x00\\x00\\x00\\x00n\\xc4\\x0c\\x00\\x00\\x00\\x00$l\\xc0 \\x00\\x00\\x00\\x00\\xf9\\x14Q\\x16\\x00\\x00\\x00\\x00aNr1\\x00\\x00\\x00\\x00\\x17w\\x00\\x00\\x12\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x05\\x00\\x009\\x80\\xf1\\xb7\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24718 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24719 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24720 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24721 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24722 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24723 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xf0\\x10\\xd9o\\x00\\x00\\x00\\x00\n\\xd9\\xbf\\x01j\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24724 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24725 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xfe\\xa7\\x86\\x15\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00Y\\xc0e\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00Z\\xcf\\xf2\\x1a\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00^\\xc0e\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24726 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x14\\xe1\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00n\\xa2\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24727 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24728 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24729 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24730 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24731 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24732 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24733 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24734 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24735 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24736 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24737 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24738 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24739 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24740 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24741 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24742 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24743 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24744 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24745 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24746 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24747 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24748 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24749 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24750 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24751 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24752 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24753 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24754 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24755 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24756 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24757 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24758 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24759 }, { "timestamp": "2026-05-28 22:02:47,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24760 }, { "timestamp": "2026-05-28 22:02:48,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24761 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "J\\xce\\xf4o\\x00\\x00\\x00\\x00\\\\x85\\xaa\\xe0j\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24762 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x81#N\\x19\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x1amo\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x1amo\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x05'\\xe9\\x80(\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x002$\\xd0\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00sJ\\xba\\x1e\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24763 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24764 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24765 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24766 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24767 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24768 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24769 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24770 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24771 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24772 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x9e\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xdar\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd5r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00 Ca\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00M9C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00r\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24773 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24774 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00J\\xfbx\\x00\\x00\\x00\\x00\\x00H\\xdd\\x0c\\x00\\x00\\x00\\x00$l\\xc0 \\x00\\x00\\x00\\x00\\xbb\\x90}\\x16\\x00\\x00\\x00\\x00\\x7f\\xb7\\xe31\\x00\\x00\\x00\\x00\\x17w\\x00\\x00U\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\xb8z\\x8c\\xb8\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24775 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24776 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24777 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24778 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24779 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24780 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "p\\x113p\\x00\\x00\\x00\\x00\\x0e\\xdf\\xe8\\xe0j\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24781 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24782 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\r>O\\x19\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xedoo\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00Ve\\xbb\\x1e\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xf2oo\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24783 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x14\\xe1\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00H\\xbb\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24784 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "35" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24785 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24786 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24787 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24788 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24789 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24790 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24791 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24792 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24793 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24794 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24795 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24796 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24797 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24798 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24799 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24800 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24801 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24802 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24803 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24804 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24805 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24806 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24807 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24808 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24809 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24810 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24811 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24812 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24813 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24814 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24815 }, { "timestamp": "2026-05-28 22:02:48,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24816 }, { "timestamp": "2026-05-28 22:02:49,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24817 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x10\\x13Np\\x00\\x00\\x00\\x00\\xd4:m\\xbck\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24818 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00P\\xf4\\x07\\x1d\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xdf\\xf6x\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xdf\\xf6x\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x1d\\xcc>\n)\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xf6\\xad\\xd9\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00m\\x1bt\"\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24819 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24820 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24821 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24822 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24823 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24824 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24825 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24826 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24827 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24828 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xa5\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe2r\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xddr\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb4ja\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xd6;C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00s\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24829 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24830 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xa2\\xfcx\\x00\\x00\\x00\\x00\\x00H\\xdd\\x0c\\x00\\x00\\x00\\x00\\xfc\\xeb\\xc0 \\x00\\x00\\x00\\x00\\xbb\\x90}\\x16\\x00\\x00\\x00\\x00\\x9e\\xd7{2\\x00\\x00\\x00\\x00\\x1dw\\x00\\x00U\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00#\\x17%\\xb9\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24831 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24832 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24833 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24834 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24835 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24836 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x9e\\xc5\\x88p\\x00\\x00\\x00\\x00\\xa8u\\xa8\\xbck\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24837 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24838 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd8\\x01\t\\x1d\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x91\\xf9x\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd0(u\"\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x95\\xf9x\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24839 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bl\\xe2\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00H\\xbb\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24840 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24841 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24842 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24843 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24844 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24845 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24846 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24847 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24848 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24849 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24850 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24851 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24852 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24853 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24854 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24855 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24856 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24857 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24858 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24859 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24860 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24861 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24862 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24863 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24864 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24865 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24866 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24867 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24868 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24869 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24870 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24871 }, { "timestamp": "2026-05-28 22:02:49,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24872 }, { "timestamp": "2026-05-28 22:02:50,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24873 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xe0\\xfb\\xabp\\x00\\x00\\x00\\x00\\xb2\\x89-\\x98l\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24874 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00s\\xbb\\xc1 \\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x8b\\x80\\x82\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x8b\\x80\\x82\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xd8\\x0c\\x93\\x93)\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xa27\\xe3\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00k\\xe2-&\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24875 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24876 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24877 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24878 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24879 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24880 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24881 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24882 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24883 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24884 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xac\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe8r\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe3r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb4ma\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe1=C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00t\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24885 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24886 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xa2\\xfcx\\x00\\x00\\x00\\x00\\x00\\xf8\\xe0\\x0c\\x00\\x00\\x00\\x00\\xfc\\xeb\\xc0 \\x00\\x00\\x00\\x00\\xc7\\x99\\x80\\x16\\x00\\x00\\x00\\x00\\xe0\\x9b\\x103\\x00\\x00\\x00\\x00\\x1dw\\x00\\x00_\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00r\\xb4\\xbd\\xb9\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24887 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24888 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24889 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24890 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24891 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24892 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "p\\x9a\\xe9p\\x00\\x00\\x00\\x00\\xdc@k\\x98l\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24893 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24894 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00%\\xdb\\xc2 \\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00k\\x83\\x82\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x04\\x02/&\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00o\\x83\\x82\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24895 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bl\\xe2\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xf8\\xbe\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24896 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "32" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24897 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24898 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24899 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24900 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac8" } ], "repeated": 0, "id": 24901 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24902 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24903 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24904 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24905 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24906 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24907 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24908 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24909 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24910 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24911 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24912 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24913 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24914 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24915 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24916 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24917 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24918 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24919 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24920 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24921 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24922 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24923 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24924 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24925 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24926 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24927 }, { "timestamp": "2026-05-28 22:02:50,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 1, "id": 24928 }, { "timestamp": "2026-05-28 22:02:51,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24929 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xee#\\x0fq\\x00\\x00\\x00\\x00\\xee\\xeb\\xe2sm\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24930 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd0S{$\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xbf\t\\x8c\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xbf\t\\x8c\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00]\\x91\\xe0\\x1c*\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xd6\\xc0\\xec\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe1z\\xe7)\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24931 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24932 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24933 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24934 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24935 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24936 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24937 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24938 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24939 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24940 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac0" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xb0\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xebr\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe6r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xfbna\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x008?C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00u\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24941 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24942 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xe2\\xfcx\\x00\\x00\\x00\\x00\\x00h\\xe2\\x0c\\x00\\x00\\x00\\x00\\xcaW\\xc1 \\x00\\x00\\x00\\x00\\x95{\\x81\\x16\\x00\\x00\\x00\\x00\\xd86\\xa73\\x00\\x00\\x00\\x00\\x1ew\\x00\\x00b\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00/GV\\xba\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24943 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 24944 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 24945 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 24946 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 24947 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 24948 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xee+Lq\\x00\\x00\\x00\\x00\\xfc\\x99 tm\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24949 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 24950 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe4l|$\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x8e\\x0c\\x8c\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x14\\x94\\xe8)\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x93\\x0c\\x8c\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 24951 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xac\\xe2\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00h\\xc0\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24952 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 24953 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24954 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24955 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 24956 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 24957 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 24958 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28d927b", "parentcaller": "0x00000000", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000002c4" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\xb6\\xef\\xaao\\xb4z\\x84\\xc5\\x91\\v\\x8c(\\xe7\\xbe!\\xdd\\xc7\\xf9^D\\xa7\\xffG\\xed \\xd4\\xa4(YF:" } ], "repeated": 0, "id": 24959 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24960 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24961 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24962 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24963 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24964 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 24965 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24966 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24967 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24968 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24969 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24970 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24971 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24972 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24973 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24974 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24975 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 24976 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 24977 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 24978 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 24979 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 24980 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 24981 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 24982 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 24983 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 24984 }, { "timestamp": "2026-05-28 22:02:51,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24985 }, { "timestamp": "2026-05-28 22:02:52,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 24986 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x08Ipq\\x00\\x00\\x00\\x00\\xbcJ\\x98On\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 24987 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x01\\xee4(\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xf8\\x92\\x95\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xf8\\x92\\x95\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00`Y.\\xa6*\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x0fJ\\xf6\\x02o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00j\\x16\\xa1-\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 24988 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24989 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 24990 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 24991 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 24992 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24993 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24994 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24995 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24996 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 24997 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xb8\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xeer\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe9r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc2qa\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xec?C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00v\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 24998 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 24999 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xe2\\xfcx\\x00\\x00\\x00\\x00\\x00h\\xe2\\x0c\\x00\\x00\\x00\\x00\\xcaW\\xc1 \\x00\\x00\\x00\\x00\\x95{\\x81\\x16\\x00\\x00\\x00\\x00,\\xc9?4\\x00\\x00\\x00\\x00\\x1ew\\x00\\x00b\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x1d\\xdb\\xee\\xba\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25000 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25001 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25002 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25003 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25004 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25005 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xcc\\xc9\\xabq\\x00\\x00\\x00\\x00Vf\\xd5On\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25006 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25007 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9a\r6(\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd8\\x95\\x95\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00A4\\xa2-\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xdb\\x95\\x95\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25008 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xac\\xe2\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00h\\xc0\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25009 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25010 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25011 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 25012 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25013 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 25014 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25015 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25016 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25017 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25018 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25019 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25020 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25021 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25022 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25023 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25024 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25025 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25026 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25027 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25028 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25029 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25030 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25031 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25032 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25033 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25034 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25035 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25036 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25037 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25038 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25039 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 25040 }, { "timestamp": "2026-05-28 22:02:52,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25041 }, { "timestamp": "2026-05-28 22:02:53,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25042 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb0\\xb2\\xcbq\\x00\\x00\\x00\\x00\\xac\\x9cd+o\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25043 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25044 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25045 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25046 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25047 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25048 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 25049 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25050 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 25051 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25052 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc4\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xf9r\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf4r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x7fua\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00ACC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00w\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25053 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 25054 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xe2\\xfcx\\x00\\x00\\x00\\x00\\x00h\\xe2\\x0c\\x00\\x00\\x00\\x00\\xcaW\\xc1 \\x00\\x00\\x00\\x00\\x95{\\x81\\x16\\x00\\x00\\x00\\x00\\xffm\\xd84\\x00\\x00\\x00\\x00\\x1ew\\x00\\x00b\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\|\\x87\\xbb\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25055 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25056 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25057 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25058 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25059 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25060 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\nq\\x0br\\x00\\x00\\x00\\x00\"\\x0e\\xa6+o\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25061 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25062 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00J\\x11\\xf0+\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x1f \\x9f\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00Z8\\1\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00# \\x9f\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25063 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xac\\xe2\\xa3\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00h\\xc0\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25064 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25065 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25066 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 25067 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25068 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac0" } ], "repeated": 0, "id": 25069 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25070 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25071 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25072 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25073 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25074 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25075 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25076 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25077 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25078 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25079 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25080 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25081 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25082 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25083 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25084 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25085 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25086 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25087 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25088 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25089 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25090 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25091 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25092 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25093 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25094 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 25095 }, { "timestamp": "2026-05-28 22:02:53,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25096 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x8ep'r\\x00\\x00\\x00\\x00&\\x89\\x04\\x07p\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25097 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25098 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x98\\xf8]r\\x00\\x00\\x00\\x00j\\xa4<\\x07p\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25099 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25100 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00_$\\xa9/\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xfe\\xa7\\xa8\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x96K\\x155\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x02\\xa8\\xa8\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25101 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00t,\\xa9/\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x12\\xa8\\xa8\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x12\\xa8\\xa8\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x888\\xf0\\xb8+\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00*_\t\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdcR\\x155\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 25102 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ffc75738f98", "parentcaller": "0x7ffc75738f0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xbc\\x12\\xa4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xd8\\xc2\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25103 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25104 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25105 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25106 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25107 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25108 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25109 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25110 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25111 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25112 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25113 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 25114 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25115 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25116 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 25117 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ab8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25118 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25119 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25120 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25121 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ab8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xca\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xffr\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xfar\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x83wa\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00LEC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00x\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25122 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25123 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ab8" } ], "repeated": 0, "id": 25124 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xf2,y\\x00\\x00\\x00\\x00\\x00\\xd8\\xe4\\x0c\\x00\\x00\\x00\\x00\\xe0\\x8e\\xc1 \\x00\\x00\\x00\\x00\\x82\\x80\\x82\\x16\\x00\\x00\\x00\\x00e:o5\\x00\\x00\\x00\\x00%w\\x00\\x00d\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\xde\\x01 \\xbc\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25125 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25126 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25127 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25128 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25129 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25130 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25131 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25132 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25133 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25134 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25135 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25136 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25137 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25138 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25139 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25140 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25141 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25142 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25143 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25144 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25145 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25146 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25147 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25148 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25149 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 25150 }, { "timestamp": "2026-05-28 22:02:54,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25151 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "Ru\\x89r\\x00\\x00\\x00\\x00h\\x1d\\xd7\\xe2p\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25152 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00E=b3\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xeb/\\xb2\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xeb/\\xb2\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xcb8*B,\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x03\\xe7\\x12\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdfe\\xce8\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 25153 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25154 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25155 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25156 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25157 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25158 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25159 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25160 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25161 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000acc" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25162 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000acc" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xd0\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x05s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x00s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xeaya\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00WGC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00y\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25163 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25164 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xd21y\\x00\\x00\\x00\\x00\\x00\\xd8\\xf4\\x0c\\x00\\x00\\x00\\x00a\\x92\\xc9 \\x00\\x00\\x00\\x00\\x0c!\\x8e\\x16\\x00\\x00\\x00\\x00\\x86\\x80\\xff5\\x00\\x00\\x00\\x007w\\x00\\x00f\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x05\\x00\\x00\\xc6\\xa8\\xb8\\xbc\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25165 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25166 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25167 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25168 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25169 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25170 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x98$\\xc8r\\x00\\x00\\x00\\x00\\xba@\\x18\\xe3p\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25171 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25172 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa1bc3\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xda2\\xb2\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb8\\x89\\xcf8\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xdf2\\xb2\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25173 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x9c\\x17\\xa4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xd8\\xd2\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25174 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25175 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25176 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25177 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25178 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25179 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25180 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25181 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25182 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25183 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25184 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25185 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25186 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25187 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25188 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25189 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25190 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25191 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25192 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25193 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25194 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25195 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25196 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25197 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25198 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25199 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25200 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25201 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "1004", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25202 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25203 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25204 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25205 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 25206 }, { "timestamp": "2026-05-28 22:02:55,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25207 }, { "timestamp": "2026-05-28 22:02:56,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25208 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "L2\\xebr\\x00\\x00\\x00\\x00\\x9e\\xedv\\xbeq\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25209 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00^x\\x1b7\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x001\\xb8\\xbb\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x001\\xb8\\xbb\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xafOj\\xcb,\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00Io\\x1c\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xba\\xa0\\x87<\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 25210 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25211 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25212 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25213 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25214 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25215 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25216 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25217 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25218 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000acc" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25219 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000acc" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xd9\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\rs\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x08s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00i}a\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf6IC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00z\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25220 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25221 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xd21y\\x00\\x00\\x00\\x00\\x00\\xb8\\xf5\\x0c\\x00\\x00\\x00\\x00a\\x92\\xc9 \\x00\\x00\\x00\\x00\\x90\\xcd\\x90\\x16\\x00\\x00\\x00\\x00\\x04\\xb8\\x926\\x00\\x00\\x00\\x007w\\x00\\x00n\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x05\\x00\\x00\\x13-Q\\xbd\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25222 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25223 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25224 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25225 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25226 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25227 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "T\\x03's\\x00\\x00\\x00\\x00\\xfc\\xcd\\xb4\\xbeq\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25228 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25229 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd6\\x8f\\x1c7\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xfc\\xba\\xbb\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xda\\xb6\\x88<\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x01\\xbb\\xbb\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25230 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x9c\\x17\\xa4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xb8\\xd3\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25231 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25232 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25233 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25234 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25235 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25236 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25237 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25238 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25239 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25240 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25241 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25242 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25243 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25244 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25245 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25246 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25247 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25248 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25249 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25250 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25251 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25252 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25253 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25254 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25255 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25256 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25257 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25258 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25259 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25260 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25261 }, { "timestamp": "2026-05-28 22:02:56,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25262 }, { "timestamp": "2026-05-28 22:02:56,865", "thread_id": "2988", "caller": "0x7ffc7802467e", "parentcaller": "0x7ffc78023748", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2988" } ], "repeated": 0, "id": 25263 }, { "timestamp": "2026-05-28 22:02:56,865", "thread_id": "2988", "caller": "0x7ffc7802469e", "parentcaller": "0x7ffc78023748", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 1, "id": 25264 }, { "timestamp": "2026-05-28 22:02:57,287", "thread_id": "2700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770d4159", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25265 }, { "timestamp": "2026-05-28 22:02:57,287", "thread_id": "2700", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770d8127", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25266 }, { "timestamp": "2026-05-28 22:02:57,287", "thread_id": "2700", "caller": "0x7ffc770a7042", "parentcaller": "0x7ffc770a6fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25267 }, { "timestamp": "2026-05-28 22:02:57,287", "thread_id": "2700", "caller": "0x7ffc770a7042", "parentcaller": "0x7ffc770a6fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25268 }, { "timestamp": "2026-05-28 22:02:57,287", "thread_id": "2700", "caller": "0x7ffc770a7042", "parentcaller": "0x7ffc770a6fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 25269 }, { "timestamp": "2026-05-28 22:02:57,287", "thread_id": "2700", "caller": "0x7ffc770a7042", "parentcaller": "0x7ffc770a6fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25270 }, { "timestamp": "2026-05-28 22:02:57,396", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254e7f730", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 25271 }, { "timestamp": "2026-05-28 22:02:57,396", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254e7f4f0", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254e7f730" }, { "name": "ServiceName", "value": "DoSvc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 25272 }, { "timestamp": "2026-05-28 22:02:57,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25273 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\"\\xc6Js\\x00\\x00\\x00\\x00\\x82\\xa5G\\x9ar\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25274 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00n\\x86\\xd5:\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x92B\\xc5\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x92B\\xc5\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xa2\\xc6\\xc8T-\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xaa\\xf9%\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00F\\xadA@\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 25275 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25276 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25277 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25278 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25279 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25280 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25281 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25282 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25283 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ac4" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25284 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ac4" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe2\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x16s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x11s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x12\\x80a\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc7LC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00{\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25285 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ac4" } ], "repeated": 0, "id": 25286 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00BIy\\x00\\x00\\x00\\x00\\x00\\x88\\xf6\\x0c\\x00\\x00\\x00\\x00\\xff\\xf9\\xc9 \\x00\\x00\\x00\\x00\\xbc\\xef\\x90\\x16\\x00\\x00\\x00\\x00\\xf1\\x05)7\\x00\\x00\\x00\\x00Lw\\x00\\x00w\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x05\\x00\\x006\\xd5\\xe9\\xbd\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25287 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25288 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25289 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25290 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25291 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25292 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xa6~\\x86s\\x00\\x00\\x00\\x00Dt\\x83\\x9ar\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25293 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25294 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00VN\\xb4\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xbe\\x95\\xd6:\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00IE\\xc5\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00k\\xbcB@\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00LE\\xc5\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25295 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\x0c/\\xa4\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x88\\xd4\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25296 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25297 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25298 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25299 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" } ], "repeated": 0, "id": 25300 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25301 }, { "timestamp": "2026-05-28 22:02:57,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3640" } ], "repeated": 0, "id": 25302 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25303 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25304 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25305 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25306 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25307 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 25308 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25309 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000320" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 25310 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25311 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 25312 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 25313 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25314 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 25315 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25316 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 25317 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25318 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000320" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 25319 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25320 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 25321 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 25322 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25323 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 25324 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "ProcessHandle", "value": "0x7ffc756dad9e" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3640" } ], "repeated": 0, "id": 25325 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "3640" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25326 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005a4" } ], "repeated": 0, "id": 25327 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 25328 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\xb0+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\xb1+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xb1+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x9b\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25329 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 25330 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25331 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25332 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25333 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25334 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25335 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25336 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25337 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25338 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25339 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25340 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25341 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25342 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25343 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25344 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25345 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25346 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25347 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25348 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25349 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25350 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25351 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25352 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25353 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25354 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25355 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25356 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 25357 }, { "timestamp": "2026-05-28 22:02:57,553", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25358 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb0\\xf2\\x02t\\x00\\x00\\x00\\x00\\xe0\\xb2\\x03vs\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25359 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ffc75738f98", "parentcaller": "0x7ffc75738f0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00M4\\x8f>\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xfd\\xcb\\xce\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xfd\\xcb\\xce\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xf7c\\x19\\xde-\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x15\\x83/\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00>[\\xfbC\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 25360 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25361 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25362 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25363 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25364 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25365 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25366 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25367 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25368 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25369 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000320" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xec\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00!s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x1cs\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x00Oc\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\nPC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00|\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25370 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25371 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xa8\\xfbz\\x00\\x00\\x00\\x00\\x00\\xa8\\xf8\\x0c\\x00\\x00\\x00\\x00c<\\xcf \\x00\\x00\\x00\\x00\\xf9p\\x95\\x16\\x00\\x00\\x00\\x00\\x91\\xfa\\xba7\\x00\\x00\\x00\\x00\\x8fw\\x00\\x00\\x89\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x05\\x00\\x00\\x89j\\x82\\xbe\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25372 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25373 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25374 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25375 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25376 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25377 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xb2S?t\\x00\\x00\\x00\\x00\\x8e\\x9c@vs\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25378 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25379 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb0\\xb0\\xb6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xf7O\\x90>\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd4\\xce\\xce\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00!w\\xfcC\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd8\\xce\\xce\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25380 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1br\\xe1\\xa5\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xa8\\xd6\\x0e\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25381 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25382 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25383 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25384 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25385 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25386 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25387 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25388 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25389 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25390 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25391 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25392 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25393 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25394 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25395 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25396 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25397 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25398 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25399 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25400 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25401 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25402 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25403 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25404 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25405 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25406 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25407 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25408 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25409 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25410 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25411 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 25412 }, { "timestamp": "2026-05-28 22:02:58,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25413 }, { "timestamp": "2026-05-28 22:02:58,537", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25414 }, { "timestamp": "2026-05-28 22:02:59,506", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x292549c0dc0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 25415 }, { "timestamp": "2026-05-28 22:02:59,506", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292549c0b50", "arguments": [ { "name": "ServiceControlManager", "value": "0x292549c0dc0" }, { "name": "ServiceName", "value": "OneSyncSvc_2cd62" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 25416 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "0\\xc1at\\x00\\x00\\x00\\x00P\\xc2\\xaaQt\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25417 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25418 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xf3\\x96HB\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xa8T\\xd8\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xa8T\\xd8\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xb3,_g.\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xc0\\x0b9\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00*\\xd8\\xb4G\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 25419 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25420 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25421 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25422 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25423 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25424 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25425 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25426 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25427 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25428 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000008dc" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xf3\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00(s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00#s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xaeQc\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00WRC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00}\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25429 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25430 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00v\\xffz\\x00\\x00\\x00\\x00\\x00$+\r\\x00\\x00\\x00\\x00zd\\xd3 \\x00\\x00\\x00\\x00\\x95\\x1b\\xc1\\x16\\x00\\x00\\x00\\x00Cn'8\\x00\\x00\\x00\\x00\\x9ew\\x00\\x00\\xf3\\x12\\x00\\x00\\x00\\x00\\x00\\x00\r\\x05\\x00\\x00)\\xf1\\x1a\\xbf\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25431 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25432 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25433 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25434 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25435 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25436 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xa0\\xf4\\x9ct\\x00\\x00\\x00\\x00\\xd6\\xf9\\xe7Qt\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25437 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25438 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb0\\xb0\\xb6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x8a\\xacIB\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00oW\\xd8\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00T\\xea*\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00V\\xd3\\xb5G\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00rW\\xd8\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25439 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b@\\xe5\\xa5\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00$\t\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25440 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25441 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25442 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25443 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25444 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25445 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 25446 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25447 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25448 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25449 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25450 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25451 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25452 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25453 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25454 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25455 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25456 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25457 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25458 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25459 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25460 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25461 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25462 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 25463 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 25464 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 25465 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 25466 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 25467 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 25468 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 25469 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 25470 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "608", "caller": "0x7ffc767aa933", "parentcaller": "0x7ff6c28d9e90", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 25471 }, { "timestamp": "2026-05-28 22:02:59,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25472 }, { "timestamp": "2026-05-28 22:02:59,662", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x292549c0190", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 25473 }, { "timestamp": "2026-05-28 22:02:59,662", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292549c0430", "arguments": [ { "name": "ServiceControlManager", "value": "0x292549c0190" }, { "name": "ServiceName", "value": "DoSvc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 25474 }, { "timestamp": "2026-05-28 22:02:59,693", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x292549c0190", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 25475 }, { "timestamp": "2026-05-28 22:02:59,693", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x292549bfdd0", "arguments": [ { "name": "ServiceControlManager", "value": "0x292549c0190" }, { "name": "ServiceName", "value": "edgeupdate" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 25476 }, { "timestamp": "2026-05-28 22:03:00,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 25477 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xe0\\xe1\\xbet\\x00\\x00\\x00\\x00\\xbcyv-u\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25478 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xdfr\\x03F\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x19\\xe1\\xe1\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x19\\xe1\\xe1\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\x9fG\\xdb\\xf0.\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x000\\x98B\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00(\\x9aoK\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 25479 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25480 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 25481 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 25482 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 25483 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25484 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25485 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 25486 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x8a\\xa5\\x02u\\x00\\x00\\x00\\x004\\xaa\\xbd-u\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 25487 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 25488 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25489 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25490 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25491 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb0\\xb0\\xb6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00V\\xd9\\x03F\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x1f\\xe2\\xe1\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xaeL-\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x1c\\x00pK\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\"\\xe2\\xe1\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 25492 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xa2\\x19\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00$\n\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25493 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 25494 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25495 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25496 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000320" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x0e\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00Bs\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00=s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe7kc\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x1eYC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00~\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25497 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25498 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25499 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25500 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xd83{\\x00\\x00\\x00\\x00\\x00$,\r\\x00\\x00\\x00\\x00\\xb4\\x1e\\xd8 \\x00\\x00\\x00\\x00\\x0e+\\xc1\\x16\\x00\\x00\\x00\\x00\\xeb\\x85\\xbb8\\x00\\x00\\x00\\x001x\\x00\\x00\\xf7\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x05\\x00\\x00\\xfd\\x96\\xb3\\xbf\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25501 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 25502 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 25503 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 25504 }, { "timestamp": "2026-05-28 22:03:00,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 25505 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9192" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25506 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25507 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9192" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25508 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25509 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9192" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25510 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25511 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25512 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 25513 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25514 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000008dc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 25515 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a74" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25516 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25517 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 25518 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25519 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 25520 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25521 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 25522 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25523 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000008dc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 25524 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a74" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25525 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25526 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 25527 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25528 }, { "timestamp": "2026-05-28 22:03:00,537", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 25529 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9192" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25530 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "BaseAddress", "value": "0xa4df98f000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xd02\\xe0jG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9jG\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4jG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\xd2\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07$\\xd2\\xf4}\\x00\\x00\\x00\\x008\\xd4\\xf5}\\x00\\x00(\\x029\\xd4\\xf5}\\x00\\x00P\\x06:\\xd4\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00-kG\\x02\\x00\\x00" } ], "repeated": 0, "id": 25531 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "BaseAddress", "value": "0x2476ae032d0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "4\\x07\\x00\\x004\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x80>\\xe0jG\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x189\\xe0jG\\x02\\x00\\x00f\\x00h\\x00\\x00\\x00\\x00\\x00X9\\xe0jG\\x02\\x00\\x00\\xf0'\\xe0jG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xc09\\xe0jG\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00:\\xe0jG\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x02:\\xe0jG\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25532 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "BaseAddress", "value": "0x2476ae03958" }, { "name": "Size", "value": "0x00000066" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00U\\x00n\\x00i\\x00s\\x00t\\x00a\\x00c\\x00k\\x00S\\x00v\\x00c\\x00G\\x00r\\x00o\\x00u\\x00p\\x00" } ], "repeated": 0, "id": 25533 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25534 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9192" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 25535 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25536 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 25537 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x000\\xdd$T\\x92\\x02\\x00\\x00(\\x00(\\x00\\x00\\x00\\x00\\x00\\x80\\xdd$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00@\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xdd$T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb0\\xdd$T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xdd$T\\x92\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00C\\x00M\\x00U\\x00s\\x00e\\x00r\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xb1\\x00\\x00\\x00\\x00\\x00\\x00\\x00&\\xa5\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25538 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25539 }, { "timestamp": "2026-05-28 22:03:00,584", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25540 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9492" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" } ], "repeated": 0, "id": 25541 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25542 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9492" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" } ], "repeated": 0, "id": 25543 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25544 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9492" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" } ], "repeated": 0, "id": 25545 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25546 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25547 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25548 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa2\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25549 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25550 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25551 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25552 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25553 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25554 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25555 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000008dc" } ], "repeated": 0, "id": 25556 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 25557 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25558 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25559 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25560 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25561 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\program files (x86)\\microsoft\\edgeupdate\\microsoftedgeupdate.exe" } ], "repeated": 1, "id": 25562 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\program files (x86)\\microsoft\\edgeupdate\\microsoftedgeupdate.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25563 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\program files (x86)\\microsoft\\SystemResources\\microsoftedgeupdate.exe.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25564 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x0e03b4a0", "arguments": [ { "name": "Module", "value": "0x0e020002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#101" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 25565 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x0e03e770", "arguments": [ { "name": "Module", "value": "0x0e020002" }, { "name": "ResourceInfo", "value": "0x0e03b4a0" } ], "repeated": 0, "id": 25566 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x0e03b450", "arguments": [ { "name": "Module", "value": "0x0e020002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#2" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 25567 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000568", "arguments": [ { "name": "ModuleHandle", "value": "0x0e020002" }, { "name": "ResourceInfo", "value": "0x0e03b450" } ], "repeated": 0, "id": 25568 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x0e03c168", "arguments": [ { "name": "Module", "value": "0x0e020002" }, { "name": "ResourceInfo", "value": "0x0e03b450" } ], "repeated": 0, "id": 25569 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00035000" } ], "repeated": 0, "id": 25570 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25571 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25572 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons" }, { "name": "Handle", "value": "0x00000a74" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons" } ], "repeated": 0, "id": 25573 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\PolicyType" } ], "repeated": 0, "id": 25574 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "298" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Behavior" } ], "repeated": 0, "id": 25575 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\MergeAlgorithm" } ], "repeated": 0, "id": 25576 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 25577 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirect" } ], "repeated": 0, "id": 25578 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\grouppolicyname" } ], "repeated": 0, "id": 25579 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataUser" } ], "repeated": 0, "id": 25580 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataDevice" } ], "repeated": 0, "id": 25581 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataBoth" } ], "repeated": 0, "id": 25582 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\30Value" } ], "repeated": 0, "id": 25583 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "Value" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Value" } ], "repeated": 0, "id": 25584 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25585 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\DataProtection" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\DataProtection" } ], "repeated": 0, "id": 25586 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "ImageList_Create" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e7c560" } ], "repeated": 0, "id": 25587 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "ImageList_ReplaceIcon" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e7ddf0" } ], "repeated": 0, "id": 25588 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "HIMAGELIST_QueryInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e7fa20" } ], "repeated": 0, "id": 25589 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "COMCTL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc61e00000" }, { "name": "FunctionName", "value": "ImageList_Destroy" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc61e7ba60" } ], "repeated": 0, "id": 25590 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25591 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000320" } ], "repeated": 0, "id": 25592 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25593 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25594 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25595 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25596 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25597 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25598 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25599 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb9\\x00X8\\xfc\\x7f\\x00\\x00\\xe0\\xf6\\x8eT\\x92\\x02\\x00\\x00\\xf0\\xd3\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00X8\\xfc\\x7f\\x00\\x00\\xe0\\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\r\\xecP\\x92\\x02\\x00\\x00\\xe0\\xf6\\x8eT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25600 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25601 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25602 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25603 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25604 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "GetDiskFreeSpaceExW", "status": true, "return": "0x00000001", "arguments": [ { "name": "DirectoryName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } ], "repeated": 0, "id": 25605 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25606 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000008dc" } ], "repeated": 0, "id": 25607 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25608 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25609 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25610 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25611 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25612 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25613 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000320" } ], "repeated": 0, "id": 25614 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25615 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25616 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25617 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25618 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25619 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25620 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25621 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25622 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25623 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25624 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25625 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25626 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25627 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000008dc" } ], "repeated": 0, "id": 25628 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25629 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25630 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25631 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25632 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25633 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25634 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000320" } ], "repeated": 0, "id": 25635 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25636 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25637 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25638 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25639 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25640 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25641 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25642 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25643 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25644 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25645 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25646 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25647 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25648 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000008dc" } ], "repeated": 0, "id": 25649 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25650 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25651 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25652 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25653 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25654 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25655 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000320" } ], "repeated": 0, "id": 25656 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25657 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25658 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25659 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25660 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25661 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25662 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25663 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25664 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25665 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25666 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25667 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25668 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25669 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000008dc" } ], "repeated": 0, "id": 25670 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25671 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25672 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25673 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25674 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25675 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25676 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000320" } ], "repeated": 0, "id": 25677 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25678 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25679 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25680 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25681 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25682 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000008dc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25683 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25684 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25685 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25686 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25687 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25688 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25689 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25690 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000008dc" } ], "repeated": 0, "id": 25691 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25692 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25693 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000008dc" } ], "repeated": 0, "id": 25694 }, { "timestamp": "2026-05-28 22:03:00,600", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25695 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25696 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25697 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 25698 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25699 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25700 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25701 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25702 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25703 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25704 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25705 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25706 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25707 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25708 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25709 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25710 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25711 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25712 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25713 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25714 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25715 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25716 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25717 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25718 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 25719 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25720 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25721 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25722 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25723 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25724 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25725 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25726 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25727 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25728 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25729 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25730 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25731 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25732 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25733 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25734 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25735 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25736 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25737 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25738 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25739 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 25740 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25741 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25742 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25743 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25744 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25745 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25746 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25747 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25748 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25749 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25750 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25751 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25752 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25753 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25754 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25755 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25756 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25757 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25758 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25759 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25760 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 25761 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25762 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25763 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25764 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25765 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25766 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25767 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25768 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25769 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25770 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25771 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25772 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25773 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25774 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000320" } ], "repeated": 0, "id": 25775 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1fN\\x92\\x02\\x00\\x00\\xa9\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xb3\\xffw\\xfc\\x7f\\x00\\x00\\xfa6\\x07Ou\\xc0\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\x80\\x0c\\xbfT\\x92\\x02\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25776 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25777 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25778 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25779 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25780 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25781 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 25782 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xc3\\xb8\\xbfu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83!+_\\xfc\\x7f\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x10\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00f@\\xedw\\xfc\\x7f\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x11\\x050\\x00\\x00\\x00\\x00\\xc9\\x1f+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25783 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25784 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25785 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25786 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25787 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25788 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25789 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25790 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xd1\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x84\\xd93\\xfc\\x7f\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25791 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25792 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25793 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25794 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25795 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25796 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000320" } ], "repeated": 0, "id": 25797 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xd1\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00h8\\xfc\\x7f\\x00\\x00T\n\\x00\\x00\\x00\\x00\\x00\\x00T\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81|\\xd93\\xfc\\x7f\\x00\\x00(\\x8b\\xd93\\xfc\\x7f\\x00\\x00T\n\\x00\\x00\\x00\\x00\\x00\\x00T\n\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85gnu\\xfc\\x7f\\x00\\x00T\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25798 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25799 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25800 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25801 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25802 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "317D06E8-5F24-433D-BDF7-79CE68D8ABC2" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "EC5EC8A9-C395-4314-9C77-54D7A935FF70" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 25803 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7038c000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25804 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7038c000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25805 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7038c000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25806 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7038c000" }, { "name": "ModuleName", "value": "WindowsCodecs.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25807 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 25808 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" } ], "repeated": 0, "id": 25809 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253bad000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25810 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253bae000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25811 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253bb0000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25812 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29253bb3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25813 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0xfffffffc" } ], "repeated": 0, "id": 25814 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\\Instance" } ], "repeated": 0, "id": 25815 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25816 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25817 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 25818 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd3\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\xe0\\x1f\\xdfO\\x92\\x02\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00L\n\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25819 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25820 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25821 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25822 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25823 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25824 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 1, "id": 25825 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25826 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000acc" } ], "repeated": 0, "id": 25827 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xd3\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x92\\x02\\x00\\x00\\xc0)\\xb9S\\x92\\x02\\x00\\x00\\xd7;+_\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x92\\x02\\x00\\x00`\\xda\\xd9\\xff\\xff\\xff\\xff\\xffH\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25828 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25829 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25830 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25831 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25832 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25833 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25834 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x9a0\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00p\\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x99\\xbd*_\\xfc\\x7f\\x00\\x00 \\xd5\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 25835 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25836 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25837 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25838 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25839 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000acc" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25840 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25841 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd2\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xd4\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x02\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00X8\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 25842 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25843 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25844 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25845 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25846 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25847 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25848 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000acc" } ], "repeated": 0, "id": 25849 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xd6\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x92\\x02\\x00\\x008\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00C\\x10+_\\xfc\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xac+_\\xfc\\x7f\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xd7\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\\xe7\\xab+_\\xfc\\x7f\\x00\\x00\\xb0\\x9e\\xf1S\\x92\\x02\\x00\\x00\n4\\x07Ou\\xc0\\x00\\x00" } ], "repeated": 0, "id": 25850 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25851 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25852 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25853 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25854 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25855 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00035000" } ], "repeated": 0, "id": 25856 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x0e020002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25857 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0e020000" }, { "name": "RegionSize", "value": "0x00035000" } ], "repeated": 0, "id": 25858 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9492" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" } ], "repeated": 0, "id": 25859 }, { "timestamp": "2026-05-28 22:03:00,615", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25860 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9492" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" } ], "repeated": 0, "id": 25861 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "BaseAddress", "value": "0x0270f000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00P\\x1a\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xae\\x02\\x00\\x00\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xe1Vw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07`\\x7f\\x00\\x00\\x00\\x00\\x00\\x00v\\x7f\\x00\\x00\\x00\\x00(\\x02w\\x7f\\x00\\x00\\x00\\x00P\\x06x\\x7f\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\xfe\\x02\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25862 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "BaseAddress", "value": "0x02ae1a50" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "\\xf2\\x07\\x00\\x00\\xf2\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0&\\xae\\x02\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x98 \\xae\\x02\\x00\\x00\\x00\\x00\\x94\\x00\\x96\\x00\\x00\\x00\\x00\\x00 !\\xae\\x02\\x00\\x00\\x00\\x00\\xe0\\x0f\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\xb6!\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00>\"\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00@\"\\xae\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25863 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "BaseAddress", "value": "0x02ae2120" }, { "name": "Size", "value": "0x00000094" }, { "name": "Buffer", "value": "\"\\x00C\\x00:\\x00\\\\x00P\\x00r\\x00o\\x00g\\x00r\\x00a\\x00m\\x00 \\x00F\\x00i\\x00l\\x00e\\x00s\\x00 \\x00(\\x00x\\x008\\x006\\x00)\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00\\\\x00E\\x00d\\x00g\\x00e\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00\\\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00E\\x00d\\x00g\\x00e\\x00U\\x00p\\x00d\\x00a\\x00t\\x00e\\x00.\\x00e\\x00x\\x00e\\x00\"\\x00 \\x00/\\x00s\\x00v\\x00c\\x00" } ], "repeated": 0, "id": 25864 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25865 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9492" }, { "name": "ProcessName", "value": "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" } ], "repeated": 0, "id": 25866 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25867 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 25868 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xf0\\x82+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x18\\x83+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x83+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xb2\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\xa7\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25869 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25870 }, { "timestamp": "2026-05-28 22:03:00,631", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25871 }, { "timestamp": "2026-05-28 22:03:00,771", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 25872 }, { "timestamp": "2026-05-28 22:03:00,771", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25873 }, { "timestamp": "2026-05-28 22:03:00,771", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\dllhost.exe" } ], "repeated": 0, "id": 25874 }, { "timestamp": "2026-05-28 22:03:00,771", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25875 }, { "timestamp": "2026-05-28 22:03:00,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "774" }, { "name": "y", "value": "627" } ], "repeated": 0, "id": 25876 }, { "timestamp": "2026-05-28 22:03:00,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "749" }, { "name": "y", "value": "629" } ], "repeated": 0, "id": 25877 }, { "timestamp": "2026-05-28 22:03:00,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25878 }, { "timestamp": "2026-05-28 22:03:00,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "712" }, { "name": "y", "value": "632" } ], "repeated": 0, "id": 25879 }, { "timestamp": "2026-05-28 22:03:00,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25880 }, { "timestamp": "2026-05-28 22:03:00,787", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "687" }, { "name": "y", "value": "634" } ], "repeated": 0, "id": 25881 }, { "timestamp": "2026-05-28 22:03:00,787", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25882 }, { "timestamp": "2026-05-28 22:03:00,803", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "660" }, { "name": "y", "value": "636" } ], "repeated": 0, "id": 25883 }, { "timestamp": "2026-05-28 22:03:00,803", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25884 }, { "timestamp": "2026-05-28 22:03:00,803", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "636" }, { "name": "y", "value": "637" } ], "repeated": 0, "id": 25885 }, { "timestamp": "2026-05-28 22:03:00,803", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25886 }, { "timestamp": "2026-05-28 22:03:00,803", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "613" }, { "name": "y", "value": "638" } ], "repeated": 0, "id": 25887 }, { "timestamp": "2026-05-28 22:03:00,803", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 25888 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "1496", "caller": "0x7ff6c28da9db", "parentcaller": "0x7ff6c28d6fb1", "category": "misc", "api": "GetCursorPos", "status": true, "return": "0x00000001", "arguments": [ { "name": "x", "value": "578" }, { "name": "y", "value": "641" } ], "repeated": 0, "id": 25889 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 1, "id": 25890 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9816" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 25891 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25892 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9816" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 25893 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25894 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9816" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 25895 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25896 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25897 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25898 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa3\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25899 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25900 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25901 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25902 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25903 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad0" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25904 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25905 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T\\x82*_\\xfc\\x7f\\x00\\x004\\x00a\\x00f\\x00e\\x008\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00" } ], "repeated": 0, "id": 25906 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04afe8" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25907 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25908 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25909 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a4c" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25910 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25911 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000320" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25912 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25913 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00x\\xdb\\xdf\\x9d\\xf0\\x00\\x00\\x00\\xe8\\xaf\\xb3T\\x92\\x02\\x00\\x00\\xb0\\xd9\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\xda\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x00\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00u\\xc0\\x00\\x00\\x00\\x00\\xafT\\x92\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25914 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25915 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad0" } ], "repeated": 0, "id": 25916 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 25917 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25918 }, { "timestamp": "2026-05-28 22:03:00,850", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25919 }, { "timestamp": "2026-05-28 22:03:00,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251610002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25920 }, { "timestamp": "2026-05-28 22:03:00,865", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251610000" }, { "name": "RegionSize", "value": "0x0007e000" } ], "repeated": 0, "id": 25921 }, { "timestamp": "2026-05-28 22:03:00,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x29251610002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25922 }, { "timestamp": "2026-05-28 22:03:00,865", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29251610000" }, { "name": "RegionSize", "value": "0x0007e000" } ], "repeated": 0, "id": 25923 }, { "timestamp": "2026-05-28 22:03:00,865", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9816" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 25924 }, { "timestamp": "2026-05-28 22:03:00,865", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25925 }, { "timestamp": "2026-05-28 22:03:00,865", "thread_id": "60", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000ad0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 25926 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9816" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 25927 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "BaseAddress", "value": "0xda5735e000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x9b \\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8e\\xed\\xc2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xed\\xc2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00l\\xde\\xf5}\\x00\\x00(\\x02m\\xde\\xf5}\\x00\\x00P\\x06n\\xde\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25928 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "BaseAddress", "value": "0x2c2ed8e0000" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "j\\x07\\x00\\x00j\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00@\\x04\\x8e\\xed\\xc2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00J\\x00L\\x00\\x00\\x00\\x00\\x00H\\x06\\x8e\\xed\\xc2\\x02\\x00\\x00r\\x00t\\x00\\x00\\x00\\x00\\x00\\x94\\x06\\x8e\\xed\\xc2\\x02\\x00\\x00j\\x07\\x8e\\xed\\xc2\\x02\\x00\\x00(\\x00\\x00\\x00(\\x00\\x00\\x00P\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00^\\x00\\x00\\x00\\x00\\x00\\x08\\x07\\x8e\\xed\\xc2\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00f\\x07\\x8e\\xed\\xc2\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00h\\x07\\x8e\\xed\\xc2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25929 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "BaseAddress", "value": "0x2c2ed8e0694" }, { "name": "Size", "value": "0x00000072" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00w\\x00b\\x00e\\x00m\\x00\\\\x00w\\x00m\\x00i\\x00p\\x00r\\x00v\\x00s\\x00e\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00s\\x00e\\x00c\\x00u\\x00r\\x00e\\x00d\\x00 \\x00-\\x00E\\x00m\\x00b\\x00e\\x00d\\x00d\\x00i\\x00n\\x00g\\x00" } ], "repeated": 0, "id": 25930 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25931 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9816" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 25932 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25933 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 25934 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xe0\\xb0+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\x08\\xb1+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xb1+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xb4\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\xaf\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25935 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25936 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25937 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x2924e26cd50" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10172" } ], "repeated": 0, "id": 25938 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10172" } ], "repeated": 0, "id": 25939 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10172" } ], "repeated": 0, "id": 25940 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c291c755", "parentcaller": "0x7ff6c28edda1", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "SystemInformationClass", "value": "88" } ], "repeated": 0, "id": 25941 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25942 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 25943 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa4\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25944 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25945 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25946 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25947 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25948 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25949 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 25950 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a74" } ], "repeated": 0, "id": 25951 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 25952 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 25953 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 25954 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 25955 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 25956 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ggsgulid.exe" } ], "repeated": 2, "id": 25957 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System\\ggsgulid.exe" } ], "repeated": 0, "id": 25958 }, { "timestamp": "2026-05-28 22:03:00,881", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\ggsgulid.exe" } ], "repeated": 0, "id": 25959 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ggsgulid.exe" } ], "repeated": 0, "id": 25960 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\ggsgulid.exe" } ], "repeated": 0, "id": 25961 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\ggsgulid.exe" } ], "repeated": 0, "id": 25962 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\ggsgulid.exe" } ], "repeated": 0, "id": 25963 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\OpenSSH\\ggsgulid.exe" } ], "repeated": 0, "id": 25964 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\ggsgulid.exe" } ], "repeated": 0, "id": 25965 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 25966 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25967 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 25968 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000acc" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25969 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ad4" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000acc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 25970 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ad4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25971 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad4" } ], "repeated": 0, "id": 25972 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ad4" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 25973 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ad8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000ad4" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 25974 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000ad8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29256120000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25975 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 25976 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29256142e40", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 25977 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292561b6950", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "ResourceInfo", "value": "0x29256142e40" } ], "repeated": 0, "id": 25978 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29256138940", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 25979 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292514c0002" }, { "name": "ResourceInfo", "value": "0x29256138940" } ], "repeated": 0, "id": 25980 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292561b64e8", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "ResourceInfo", "value": "0x29256138940" } ], "repeated": 0, "id": 25981 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29256120000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 25982 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad4" } ], "repeated": 0, "id": 25983 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 25984 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 25985 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 25986 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": false, "return": "0x00000000", "arguments": [ { "name": "lpLibFileName", "value": "GGsGuLID.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 25987 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000acc" } ], "repeated": 0, "id": 25988 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25989 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xa4\\xdf\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 25990 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000ad4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 25991 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ad4" }, { "name": "SubKey", "value": "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" }, { "name": "Handle", "value": "0x00000ad8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" } ], "repeated": 0, "id": 25992 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad4" } ], "repeated": 0, "id": 25993 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category" } ], "repeated": 0, "id": 25994 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name" } ], "repeated": 0, "id": 25995 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder" } ], "repeated": 0, "id": 25996 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description" } ], "repeated": 0, "id": 25997 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Data", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath" } ], "repeated": 0, "id": 25998 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName" } ], "repeated": 0, "id": 25999 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip" } ], "repeated": 0, "id": 26000 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21769" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName" } ], "repeated": 0, "id": 26001 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Icon" }, { "name": "Data", "value": "%SystemRoot%\\system32\\imageres.dll,-183" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon" } ], "repeated": 0, "id": 26002 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Security" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security" } ], "repeated": 0, "id": 26003 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource" } ], "repeated": 0, "id": 26004 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType" } ], "repeated": 0, "id": 26005 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly" } ], "repeated": 0, "id": 26006 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable" } ], "repeated": 0, "id": 26007 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate" } ], "repeated": 0, "id": 26008 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream" } ], "repeated": 0, "id": 26009 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath" } ], "repeated": 0, "id": 26010 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags" } ], "repeated": 0, "id": 26011 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes" } ], "repeated": 0, "id": 26012 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID" } ], "repeated": 0, "id": 26013 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler" } ], "repeated": 0, "id": 26014 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ad8" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000ad4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag" } ], "repeated": 0, "id": 26015 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26016 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "SessionInfo\\1" }, { "name": "Handle", "value": "0x00000ad8" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1" } ], "repeated": 0, "id": 26017 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ad8" }, { "name": "SubKey", "value": "KnownFolders" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders" } ], "repeated": 0, "id": 26018 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26019 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xa0\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x80\\xd8\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26020 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000ad8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 26021 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000ad8" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "Handle", "value": "0x00000adc" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 26022 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26023 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000adc" }, { "name": "ValueName", "value": "Desktop" }, { "name": "Data", "value": "%USERPROFILE%\\Desktop" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop" } ], "repeated": 0, "id": 26024 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 26025 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000adc" } ], "repeated": 0, "id": 26026 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000adc" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\Desktop" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26027 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000adc" }, { "name": "HandleName", "value": "C:\\Users\\admin\\Desktop" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 26028 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": false, "return": "0xffffffffc000000f", "pretty_return": "NO_SUCH_FILE", "arguments": [ { "name": "FileHandle", "value": "0x00000adc" }, { "name": "FileInformation", "value": "" }, { "name": "FileName", "value": "C:\\Users\\admin\\Desktop\\GGsGuLID.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 26029 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000adc" } ], "repeated": 0, "id": 26030 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000005" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\Desktop\\GGsGuLID.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26031 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000adc" } ], "repeated": 0, "id": 26032 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26033 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\xa4\\xdf\\x9d\\xf0\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26034 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" }, { "name": "Handle", "value": "0x00000acc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions" } ], "repeated": 0, "id": 26035 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000acc" }, { "name": "SubKey", "value": "{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}" }, { "name": "Handle", "value": "0x00000ad8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}" } ], "repeated": 0, "id": 26036 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000acc" } ], "repeated": 0, "id": 26037 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Category" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category" } ], "repeated": 0, "id": 26038 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Name" }, { "name": "Data", "value": "Common Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name" } ], "repeated": 0, "id": 26039 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "ParentFolder" }, { "name": "Data", "value": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder" } ], "repeated": 0, "id": 26040 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Description" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description" } ], "repeated": 0, "id": 26041 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "RelativePath" }, { "name": "Data", "value": "Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath" } ], "repeated": 0, "id": 26042 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "ParsingName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName" } ], "repeated": 0, "id": 26043 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "InfoTip" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip" } ], "repeated": 0, "id": 26044 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "LocalizedName" }, { "name": "Data", "value": "@%SystemRoot%\\system32\\shell32.dll,-21799" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName" } ], "repeated": 0, "id": 26045 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Icon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon" } ], "repeated": 0, "id": 26046 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Security" }, { "name": "Data", "value": "D:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;IU)(A;OICI;FA;;;SY)" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security" } ], "repeated": 0, "id": 26047 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "StreamResource" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource" } ], "repeated": 0, "id": 26048 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "StreamResourceType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType" } ], "repeated": 0, "id": 26049 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "LocalRedirectOnly" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly" } ], "repeated": 0, "id": 26050 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Roamable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable" } ], "repeated": 0, "id": 26051 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "PreCreate" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate" } ], "repeated": 0, "id": 26052 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Stream" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream" } ], "repeated": 0, "id": 26053 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "PublishExpandedPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath" } ], "repeated": 0, "id": 26054 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "DefinitionFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags" } ], "repeated": 0, "id": 26055 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Attributes" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes" } ], "repeated": 0, "id": 26056 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "FolderTypeID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID" } ], "repeated": 0, "id": 26057 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "InitFolderHandler" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler" } ], "repeated": 0, "id": 26058 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ad8" }, { "name": "SubKey", "value": "PropertyBag" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PropertyBag" } ], "repeated": 0, "id": 26059 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26060 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000058c" }, { "name": "SubKey", "value": "SessionInfo\\1" }, { "name": "Handle", "value": "0x00000ad8" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1" } ], "repeated": 0, "id": 26061 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000ad8" }, { "name": "SubKey", "value": "KnownFolders" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders" } ], "repeated": 0, "id": 26062 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26063 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "Handle", "value": "0x00000ad8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 26064 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" }, { "name": "ValueName", "value": "Common Desktop" }, { "name": "Data", "value": "%PUBLIC%\\Desktop" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Desktop" } ], "repeated": 0, "id": 26065 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000adc" } ], "repeated": 0, "id": 26066 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26067 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ad8" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Public\\Desktop" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26068 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000ad8" }, { "name": "HandleName", "value": "C:\\Users\\Public\\Desktop" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 26069 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": false, "return": "0xffffffffc000000f", "pretty_return": "NO_SUCH_FILE", "arguments": [ { "name": "FileHandle", "value": "0x00000ad8" }, { "name": "FileInformation", "value": "" }, { "name": "FileName", "value": "C:\\Users\\Public\\Desktop\\GGsGuLID.exe" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 26070 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26071 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000006" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\Public\\Desktop\\GGsGuLID.exe" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26072 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10172" } ], "repeated": 0, "id": 26073 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0x00008000" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10172" } ], "repeated": 0, "id": 26074 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": false, "return": "0xffffffffc000000b", "pretty_return": "INVALID_CID", "arguments": [ { "name": "ProcessHandle", "value": "0xf09ddfe128" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10172" } ], "repeated": 0, "id": 26075 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 26076 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26077 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26078 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26079 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26080 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26081 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 26082 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26083 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26084 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26085 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26086 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26087 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26088 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26089 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26090 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26091 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26092 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26093 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26094 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26095 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26096 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26097 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 26098 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 26099 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 26100 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 26101 }, { "timestamp": "2026-05-28 22:03:00,896", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26102 }, { "timestamp": "2026-05-28 22:03:01,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26103 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": " \\xa9\\xf0z\\x00\\x00\\x00\\x00hp8\nv\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26104 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 26105 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xe8w.{\\x00\\x00\\x00\\x00|\\xca{\nv\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26106 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 26107 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb0\\xb0\\xb6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x08\\xe9\\xc1I\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xc2v\\xeb\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xaeL-\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00-\\x14.O\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd1v\\xeb\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 26108 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bZ*\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xf4\\x0b\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26109 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 26110 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26111 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26112 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26113 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26114 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26115 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26116 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26117 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26118 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26119 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x85J\\xc2I\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xbbw\\xeb\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xbbw\\xeb\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xab5\\xeaz/\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xd3.L\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x1fq.O\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 26120 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26121 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26122 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26123 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 26124 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 26125 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26126 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26127 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26128 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26129 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\dllhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26130 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26131 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\dllhost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26132 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00009000" } ], "repeated": 0, "id": 26133 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26134 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26135 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a54" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00M\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x81s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00|s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xeb\\x1ce\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x85hC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26136 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26137 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x90D{\\x00\\x00\\x00\\x00\\x00\\xf4-\r\\x00\\x00\\x00\\x00\\x01r\\xd9 \\x00\\x00\\x00\\x00\\x98\\xbb\\xc1\\x16\\x00\\x00\\x00\\x00\\x98|R9\\x00\\x00\\x00\\x00Fx\\x00\\x00\\xfa\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x05\\x00\\x00\\xd4\\xe3L\\xc0\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26138 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 26139 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 26140 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 26141 }, { "timestamp": "2026-05-28 22:03:01,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 26142 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26143 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "BaseAddress", "value": "0x9b1b155000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xdf\\x99\\xf6\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xc0\\x1a\\xe4$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4$\\xf3\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xff\\xff?\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\xb6\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07\\xeb\\xb6\\xf4}\\x00\\x00\\x00\\x00\\xff\\xb8\\xf5}\\x00\\x00(\\x02\\x00\\xb9\\xf5}\\x00\\x00P\\x06\\x01\\xb9\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00%%\\xf3\\x01\\x00\\x00" } ], "repeated": 0, "id": 26144 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "BaseAddress", "value": "0x1f324e41ac0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "p\\x07\\x00\\x00p\\x07\\x00\\x00\\x01@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\x90&\\xe4$\\xf3\\x01\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\x08!\\xe4$\\xf3\\x01\\x00\\x00\\xa2\\x00\\xa4\\x00\\x00\\x00\\x00\\x00H!\\xe4$\\xf3\\x01\\x00\\x00\\xe0\\x0f\\xe4$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xec!\\xe4$\\xf3\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00,\"\\xe4$\\xf3\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00.\"\\xe4$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26145 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "BaseAddress", "value": "0x1f324e42148" }, { "name": "Size", "value": "0x000000a2" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00s\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00D\\x00l\\x00l\\x00H\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00/\\x00P\\x00r\\x00o\\x00c\\x00e\\x00s\\x00s\\x00i\\x00d\\x00:\\x00{\\x003\\x003\\x008\\x00B\\x004\\x000\\x00F\\x009\\x00-\\x009\\x00D\\x006\\x008\\x00-\\x004\\x00B\\x005\\x003\\x00-\\x00A\\x007\\x009\\x003\\x00-\\x006\\x00B\\x009\\x00A\\x00A\\x000\\x00C\\x005\\x00F\\x006\\x003\\x00B\\x00}\\x00" } ], "repeated": 0, "id": 26146 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26147 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "9716" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26148 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 26149 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 26150 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xd0u+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xf8u+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18v+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xb3\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\xad\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26151 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26152 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26153 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 26154 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26155 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26156 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26157 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26158 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26159 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 26160 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26161 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26162 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26163 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26164 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26165 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26166 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26167 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26168 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26169 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26170 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26171 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26172 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26173 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26174 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26175 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 26176 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 26177 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 26178 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 26179 }, { "timestamp": "2026-05-28 22:03:01,568", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26180 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xfeG\\x97{\\x00\\x00\\x00\\x00\\x8a\\x83\\xf9\\xe5v\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26181 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x80\\x91zM\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x90\\xfd\\xf4\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x90\\xfd\\xf4\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00p&\\x07\\x040\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xa8\\xb4U\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa4\\xb9\\xe6R\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 26182 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26183 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26184 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 26185 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 26186 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26187 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26188 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26189 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26190 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000ad8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26191 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000ad8" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x92\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xc5s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xc0s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xf4\\x98g\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x1eyC\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26192 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26193 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xacD{\\x00\\x00\\x00\\x00\\x00\\xf4-\r\\x00\\x00\\x00\\x00q}\\xd9 \\x00\\x00\\x00\\x00\\x98\\xbb\\xc1\\x16\\x00\\x00\\x00\\x00V\\xc8\\xea9\\x00\\x00\\x00\\x00Hx\\x00\\x00\\xfa\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x05\\x00\\x00\\x01\\x80\\xe5\\xc0\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26194 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 26195 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 26196 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 26197 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 26198 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26199 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 26200 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "F\\xf5\\xdb{\\x00\\x00\\x00\\x00j\\xdd?\\xe6v\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26201 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 26202 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb0\\xb0\\xb6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9d\\xca{M\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xb1\\x00\\xf5\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xaeL-\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd3\\xf1\\xe7R\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xb6\\x00\\xf5\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 26203 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bv*\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xf4\\x0b\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26204 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 26205 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26206 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26207 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" } ], "repeated": 0, "id": 26208 }, { "timestamp": "2026-05-28 22:03:02,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26209 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4608" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26210 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26211 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4608" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26212 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26213 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4608" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26214 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26215 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 26216 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 26217 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00`^\\xe8S\\x92\\x02\\x00\\x00\\xe0\\xde\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa5\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26218 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 26219 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26220 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26221 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000808" }, { "name": "HandleName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x000r\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26222 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26223 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "7912" } ], "repeated": 0, "id": 26224 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a60" } ], "repeated": 0, "id": 26225 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xd8\\xdf\\x9d\\xf0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbc\\x07\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00]\\xddmu\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea5\\x07Ou\\xc0\\x00\\x00\\xe8\\xf6\\x8eT\\x92\\x02\\x00\\x00" } ], "repeated": 0, "id": 26226 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" }, { "name": "MutexName", "value": "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 26227 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26228 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26229 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26230 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 1, "id": 26231 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "c:\\_a4sjgfa\\bin\\ggsgulid.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26232 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00030000" } ], "repeated": 0, "id": 26233 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\imageres.dll" } ], "repeated": 1, "id": 26234 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\imageres.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26235 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 26236 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26237 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a54" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\imageres.dll.mui" } ], "repeated": 0, "id": 26238 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a74" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfb7f0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26239 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26240 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26241 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a74" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\imageres.dll.mun" } ], "repeated": 0, "id": 26242 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a60" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29256120000" }, { "name": "SectionOffset", "value": "0xf09ddfb7a0" }, { "name": "ViewSize", "value": "0x013c0000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26243 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26244 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29256142e40", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "Type", "value": "#14" }, { "name": "Name", "value": "#15" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 26245 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292561b6950", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "ResourceInfo", "value": "0x29256142e40" } ], "repeated": 0, "id": 26246 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x29256138940", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "Type", "value": "#3" }, { "name": "Name", "value": "#63" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 26247 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x00000468", "arguments": [ { "name": "ModuleHandle", "value": "0x292514c0002" }, { "name": "ResourceInfo", "value": "0x29256138940" } ], "repeated": 0, "id": 26248 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "misc", "api": "LoadResource", "status": true, "return": "0x292561b64e8", "arguments": [ { "name": "Module", "value": "0x292514c0002" }, { "name": "ResourceInfo", "value": "0x29256138940" } ], "repeated": 0, "id": 26249 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x29256120000" }, { "name": "RegionSize", "value": "0x013c0000" } ], "repeated": 0, "id": 26250 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26251 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 26252 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26253 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c7655", "parentcaller": "0x7ff6c28c3cb1", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00003000" } ], "repeated": 0, "id": 26254 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26255 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00030000" } ], "repeated": 0, "id": 26256 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x00000a54" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 26257 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000a54" }, { "name": "SubKey", "value": "{528c102f-0000-0000-0000-300300000000}\\" }, { "name": "Handle", "value": "0x00000a74" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" } ], "repeated": 0, "id": 26258 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26259 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" } ], "repeated": 0, "id": 26260 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26261 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00100081", "pretty_value": "FILE_READ_ACCESS|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26262 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryInformationFile", "status": false, "return": "0xffffffffc000000d", "pretty_return": "INVALID_PARAMETER", "arguments": [ { "name": "FileHandle", "value": "0x00000a74" }, { "name": "HandleName", "value": "C:\\" }, { "name": "FileInformationClass", "value": "55", "pretty_value": "FileReplaceCompletionInformation" }, { "name": "FileInformation", "value": "" } ], "repeated": 0, "id": 26263 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "filesystem", "api": "NtQueryDirectoryFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a74" }, { "name": "FileInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0b\\xd5@\\xec\\xee\\xdc\\x01\\xad\\xc9\\x1fA\\xec\\xee\\xdc\\x01\\xad\\xc9\\x1fA\\xec\\xee\\xdc\\x01\\xad\\xc9\\x1fA\\xec\\xee\\xdc\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x07\\x02\\x00\\x00\\x00\\x02\\x00_\\x00a\\x004\\x00s\\x00j\\x00g\\x00f\\x00a\\x00" }, { "name": "FileName", "value": "C:\\_a4sjgfa" }, { "name": "FileInformationClass", "value": "37", "pretty_value": "FileIdBothDirectoryInformation" } ], "repeated": 0, "id": 26264 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28de589", "parentcaller": "0x7ff6c28c73b3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26265 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c3b16", "parentcaller": "0x7ff6c28c30e8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000400", "pretty_value": "PROCESS_QUERY_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4608" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26266 }, { "timestamp": "2026-05-28 22:03:02,553", "thread_id": "5448", "caller": "0x7ff6c28c3b8f", "parentcaller": "0x7ff6c28c30e8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26267 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4608" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26268 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "BaseAddress", "value": "0xada5bab000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\xbd\\x9b\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00p\\x1c3\\xc6I\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x003\\xc6I\\x02\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\xc6I\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\x07\\xf4\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07E\\x07\\xf4\\x7f\\x00\\x00\\x00\\x00Y\t\\xf5\\x7f\\x00\\x00(\\x02Z\t\\xf5\\x7f\\x00\\x00P\\x06[\t\\xf5\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00s\\xc6I\\x02\\x00\\x00" } ], "repeated": 0, "id": 26269 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "BaseAddress", "value": "0x249c6331c70" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "l\\x07\\x00\\x00l\\x07\\x00\\x00\\x01`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x08\\x02\\x00\\x00\\x00\\x00@(3\\xc6I\\x02\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x00\\x00\\x00\\x00\\xb8\"3\\xc6I\\x02\\x00\\x00\\x8c\\x00\\x8e\\x00\\x00\\x00\\x00\\x00\\xf2\"3\\xc6I\\x02\\x00\\x00\\xe0\\x0f3\\xc6I\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x00:\\x00\\x00\\x00\\x00\\x00\\x80#3\\xc6I\\x02\\x00\\x00\\x1e\\x00 \\x00\\x00\\x00\\x00\\x00\\xba#3\\xc6I\\x02\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\xda#3\\xc6I\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26270 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "BaseAddress", "value": "0x249c63322f2" }, { "name": "Size", "value": "0x0000008c" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00_\\x00a\\x004\\x00s\\x00j\\x00g\\x00f\\x00a\\x00\\\\x00b\\x00i\\x00n\\x00\\\\x00G\\x00G\\x00s\\x00G\\x00u\\x00L\\x00I\\x00D\\x00.\\x00e\\x00x\\x00e\\x00 \\x00i\\x00n\\x00j\\x00e\\x00c\\x00t\\x00 \\x008\\x001\\x009\\x006\\x00 \\x000\\x00 \\x00C\\x00:\\x00\\\\x00_\\x00a\\x004\\x00s\\x00j\\x00g\\x00f\\x00a\\x00\\\\x00d\\x00l\\x00l\\x00\\\\x00t\\x00H\\x00n\\x00P\\x00b\\x00x\\x00s\\x00.\\x00d\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 26271 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26272 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "4608" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26273 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 26274 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 26275 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\x9d+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00X\\x9d+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x9d+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xb9\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\xe8\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26276 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26277 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26278 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 26279 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26280 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26281 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26282 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26283 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26284 }, { "timestamp": "2026-05-28 22:03:02,584", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 26285 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26286 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26287 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26288 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26289 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26290 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26291 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26292 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26293 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26294 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26295 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26296 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26297 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26298 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26299 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26300 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 26301 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 26302 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 26303 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 26304 }, { "timestamp": "2026-05-28 22:03:02,600", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26305 }, { "timestamp": "2026-05-28 22:03:03,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26306 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xfc\\\\x02}\\x00\\x00\\x00\\x00\\x90]\\xb3\\xc1w\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26307 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x86-4Q\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xcd\\x86\\xfe\\x04S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xcd\\x86\\xfe\\x04)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xf11U\\x8d0\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xe5=_\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc3T\\xa0V\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 26308 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26309 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26310 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 26311 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 26312 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26313 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26314 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26315 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26316 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26317 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a74" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xac\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe0s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xdbs\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xbdDh\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00'\\x80C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26318 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26319 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00ve{\\x00\\x00\\x00\\x00\\x00\\xf4-\r\\x00\\x00\\x00\\x00\\xc7\\x14\\xda \\x00\\x00\\x00\\x00\\x98\\xbb\\xc1\\x16\\x00\\x00\\x00\\x00\\xbc\\xcc\\x82:\\x00\\x00\\x00\\x00Ox\\x00\\x00\\xfa\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x05\\x00\\x00\\xf5\\x13~\\xc1\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26320 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 26321 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 26322 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 26323 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 26324 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 26325 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": ".mC}\\x00\\x00\\x00\\x00\\x863\\xf5\\xc1w\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26326 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 26327 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb0\\xb0\\xb6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xd2\\5Q\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xd6\\x89\\xfe\\x04\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xaeL-\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x9e\\x83\\xa1V\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xda\\x89\\xfe\\x04\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 26328 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b@K\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\xf4\\x0b\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26329 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 26330 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26331 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26332 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ad8" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26333 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000ad8" } ], "repeated": 0, "id": 26334 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 26335 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26336 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26337 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26338 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26339 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26340 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 26341 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26342 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26343 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26344 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26345 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26346 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26347 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26348 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26349 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26350 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26351 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26352 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26353 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26354 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26355 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26356 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 26357 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 26358 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 26359 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 26360 }, { "timestamp": "2026-05-28 22:03:03,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26361 }, { "timestamp": "2026-05-28 22:03:04,490", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26362 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\nch}\\x00\\x00\\x00\\x00\\xfa\\x8cw\\x9dx\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26363 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x89\\x06\\xeeT\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xa7\\x10\\x08\\x05S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xa7\\x10\\x08\\x05)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00f\\x05\\xac\\x161\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xbf\\xc7h\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xeb.ZZ\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 26364 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26365 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26366 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 26367 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 26368 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26369 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26370 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26371 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26372 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a74" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26373 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a74" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xb3\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xe8s\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xe3s\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00BKh\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xb0\\x82C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26374 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a74" } ], "repeated": 0, "id": 26375 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\xa0m{\\x00\\x00\\x00\\x00\\x00\\x941\r\\x00\\x00\\x00\\x00h]\\xda \\x00\\x00\\x00\\x00\\xb2X\\xca\\x16\\x00\\x00\\x00\\x00\\x9c\\xe9\\x16;\\x00\\x00\\x00\\x00ix\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\x05\\x00\\x00/\\xb1\\x16\\xc2\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26376 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 26377 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 26378 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 26379 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 26380 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 26381 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xd0\\xa4\\xa8}\\x00\\x00\\x00\\x00^\\xe5\\xb9\\x9dx\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26382 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 26383 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xb0\\xb0\\xb6\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xaa9\\xefT\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xb9\\x13\\x08\\x05\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xaeL-\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa8`[Z\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xbd\\x13\\x08\\x05\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 26384 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1bjS\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x94\\x0f\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26385 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 26386 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26387 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26388 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26389 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26390 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 26391 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26392 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26393 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26394 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26395 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26396 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 26397 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26398 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26399 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26400 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26401 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26402 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26403 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26404 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26405 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26406 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26407 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26408 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26409 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26410 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26411 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26412 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 26413 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 26414 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 26415 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 26416 }, { "timestamp": "2026-05-28 22:03:04,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26417 }, { "timestamp": "2026-05-28 22:03:05,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26418 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x9c\\xbd\\xcd}\\x00\\x00\\x00\\x00D\\xc2(yy\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26419 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xa2\\x8b\\xa7X\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\xaa\\x99\\x11\\x05S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\xaa\\x99\\x11\\x05)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00\\xe5\\xc3\\xf6\\x9f1\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\xc2Pr\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xc6\\xb2\\x13^\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 26420 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26421 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26422 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 26423 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 26424 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26425 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26426 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26427 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26428 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26429 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a60" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\xf3\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00(t\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x00#t\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x99\\xb5h\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x8b\\x92C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00\\x83\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26430 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26431 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00l\\x82{\\x00\\x00\\x00\\x00\\x00\\x941\r\\x00\\x00\\x00\\x003\\xf0\\xdd \\x00\\x00\\x00\\x00\\xb2X\\xca\\x16\\x00\\x00\\x00\\x00\\xbc\\xe5\\xab;\\x00\\x00\\x00\\x00\\xbax\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\x05\\x00\\x003D\\xaf\\xc2\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26432 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 26433 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 26434 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 26435 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 26436 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 26437 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "T\\x83\r~\\x00\\x00\\x00\\x00v\\xa1hyy\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26438 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 26439 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\n\\x13\\xb9\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xb9\\xae\\xa8X\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x93\\x9c\\x11\\x05\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\xaeL-\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\xe3\\xd5\\x14^\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x98\\x9c\\x11\\x05\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 26440 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b6h\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x94\\x0f\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26441 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 26442 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26443 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26444 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26445 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26446 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28d9214", "parentcaller": "0x00000000", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x86\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x8c\n\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "2700" } ], "repeated": 0, "id": 26447 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26448 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26449 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26450 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26451 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26452 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "1496", "caller": "0x7ff6c28d6fb1", "parentcaller": "0x7ff6c28e0076", "category": "system", "api": "NtDelayExecution", "status": true, "return": "0x00000000", "arguments": [ { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 26453 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26454 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26455 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26456 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26457 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26458 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26459 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26460 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26461 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26462 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26463 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance" } ], "repeated": 0, "id": 26464 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 26465 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00004000" } ], "repeated": 0, "id": 26466 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c279b", "parentcaller": "0x7ff6c28c22d2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76730000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc767878f0" } ], "repeated": 0, "id": 26467 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28c27c9", "parentcaller": "0x7ff6c28c22d2", "category": "synchronization", "api": "NtFindAtom", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "AtomName", "value": "{57086C23-86C6-478F-AFB2-236188C8F47F} 3" }, { "name": "Atom", "value": "0x00000000" } ], "repeated": 0, "id": 26468 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ff6c28d9322", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 26469 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28bb952", "parentcaller": "0x7ff6c28be837", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010402" }, { "name": "Message", "value": "0x00000464" } ], "repeated": 0, "id": 26470 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "5448", "caller": "0x7ff6c28be873", "parentcaller": "0x7ff6c28d9f92", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x000203fa" }, { "name": "Message", "value": "0x000004dd" } ], "repeated": 0, "id": 26471 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "608", "caller": "0x7ff6c28d9e90", "parentcaller": "0x7ff6c28d9a49", "category": "windows", "api": "FindWindowW", "status": true, "return": "0x00010092", "arguments": [ { "name": "ClassName", "value": "Shell_TrayWnd" }, { "name": "WindowName", "value": "" } ], "repeated": 0, "id": 26472 }, { "timestamp": "2026-05-28 22:03:05,521", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010438" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26473 }, { "timestamp": "2026-05-28 22:03:05,568", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254e7f6d0", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 26474 }, { "timestamp": "2026-05-28 22:03:05,568", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254e7f760", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254e7f6d0" }, { "name": "ServiceName", "value": "edgeupdate" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 26475 }, { "timestamp": "2026-05-28 22:03:05,662", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254e7f820", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 26476 }, { "timestamp": "2026-05-28 22:03:05,662", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254e7f520", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254e7f820" }, { "name": "ServiceName", "value": "MapsBroker" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 26477 }, { "timestamp": "2026-05-28 22:03:05,787", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254e7f520", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 26478 }, { "timestamp": "2026-05-28 22:03:05,787", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254e7f4c0", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254e7f520" }, { "name": "ServiceName", "value": "StorSvc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 26479 }, { "timestamp": "2026-05-28 22:03:05,850", "thread_id": "8568", "caller": "0x7ff6c28c7bc0", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenSCManagerW", "status": true, "return": "0x29254e7f760", "arguments": [ { "name": "MachineName", "value": "" }, { "name": "DatabaseName", "value": "" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SC_MANAGER_ENUMERATE_SERVICE" } ], "repeated": 0, "id": 26480 }, { "timestamp": "2026-05-28 22:03:05,850", "thread_id": "8568", "caller": "0x7ff6c28c7bf7", "parentcaller": "0x7ff6c28c61c3", "category": "services", "api": "OpenServiceW", "status": true, "return": "0x29254e7f820", "arguments": [ { "name": "ServiceControlManager", "value": "0x29254e7f760" }, { "name": "ServiceName", "value": "StorSvc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SERVICE_QUERY_STATUS" } ], "repeated": 0, "id": 26481 }, { "timestamp": "2026-05-28 22:03:06,506", "thread_id": "2700", "caller": "0x7ffc77bf0e98", "parentcaller": "0x7ffc77c6b785", "category": "windows", "api": "PostMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "WindowHandle", "value": "0x00010424" }, { "name": "Message", "value": "0x00000400" } ], "repeated": 0, "id": 26482 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28bd9af", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\xacU1~\\x00\\x00\\x00\\x00v_\\xd5Tz\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26483 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28bab11", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x88\\x08\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x02\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x02\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01<\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00a\\x00n\\x00a\\x00g\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00A\\x00p\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00!\\x00a\\\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00\\x82\"\\x1b\\x05S\\x00e\\x00\\x10\\x00\\x00\\x00\\x1c\\x00\\x08\\x00\\x8b\\xc2\\xc4\\x08\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1d\\x00\\x04\\x00\\x82\"\\x1b\\x05)\\x00\\x00\\x00\\x10\\x00\\x00\\x00!\\x00\\x08\\x00u\\x1e?)2\\x00\\x00\\x00\\x10\\x00\\x00\\x00\"\\x00\\x04\\x00\\x9a\\xd9{\\x03o\\x00f\\x00\\x90\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x07\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00n\\x00t\\x00\\x00\\x00A\\x00\\x10\\x00\\x00\\x00\\x10\\x00\\x04\\x00\\x00\\x00\\x00\\x00e\\x00n\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00d(\\xcda\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 26484 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28c7164", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26485 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28c71d8", "parentcaller": "0x7ff6c28c4d2d", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "79" } ], "repeated": 0, "id": 26486 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28c4d5f", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "182" } ], "repeated": 0, "id": 26487 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28c4d76", "parentcaller": "0x7ff6c28d9152", "category": "misc", "api": "GetPhysicallyInstalledSystemMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "TotalMemoryInKilobytes", "value": "8388608" } ], "repeated": 0, "id": 26488 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x00120007" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26489 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26490 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000008a4" }, { "name": "HandleName", "value": "\\Device\\Nsi" }, { "name": "IoControlCode", "value": "0x0012000f" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb1\\xa9t\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xe5O\\x9e\\xf0\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xeeO\\x9e\\xf0\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe6O\\x9e\\xf0\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xe9O\\x9e\\xf0\\x00\\x00\\x00X\\x02\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26491 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28bcc3e", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26492 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28bcd3d", "parentcaller": "0x7ff6c28baa3d", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26493 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28bcd94", "parentcaller": "0x7ff6c28baa3d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000a54" }, { "name": "IoControlCode", "value": "0x0017003e" }, { "name": "InBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x01\\x01\\x80\\x14\\x01\\x01\\x80\\x01\\x01\\x02\\x00\\x02\\x01\\x02\\x00\\x03\\x01\\x02\\x00\\x04\\x01\\x02\\x00\\x08\\x02\\x02\\x80\\x01\\x02\\x02\\x80\\x07\\x02\\x02\\x80\\xff\\xff\\xff\\x80\\x13\\x02\\x02\\x80\\x14\\x02\\x02\\x80\\x15\\x02\\x02\\x80\\x02\\x02\\x01\\x80" }, { "name": "OutBuffer", "value": "\\x07\\x01\\x01\\x00\\x04\\x00\\x00\\x00\\x80\\x96\\x98\\x00\\x04\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x01\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x08\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x01\\x02\\x00\\x08\\x00\\x00\\x00:t\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x01\\x02\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x02\\x02\\x80\\x08\\x00\\x00\\x005t\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\x04\\xc3h\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x02\\x80\\x08\\x00\\x00\\x00\\xfb\\x97C\\x02\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\x80\\x04\\x00\\x00\\x00\\x84\\x00\\x00\\x00\\x13\\x02\\x02\\x80\\x04\\x00\\x00\\x00m\\x00\\x00\\x00\\x14\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x02\\x02\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x02\\x02\\x01\\x80\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26494 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28bcdab", "parentcaller": "0x7ff6c28baa3d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26495 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28c1a63", "parentcaller": "0x7ff6c28d9152", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x0000089c" }, { "name": "IoControlCode", "value": "0x00070020" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x0c\\xa0{\\x00\\x00\\x00\\x00\\x00\n5\r\\x00\\x00\\x00\\x00\\x08U\\xe3 \\x00\\x00\\x00\\x00\\xea^\\xce\\x16\\x00\\x00\\x00\\x00\\xeeO;<\\x00\\x00\\x00\\x00\\xebx\\x00\\x00\\x03\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\x05\\x00\\x00\\xe7\\xd1G\\xc3\\xed\\xee\\xdc\\x01\\x00\\x00\\x00\\x00P\\x00a\\x00r\\x00t\\x00m\\x00g\\x00r\\x00 \\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26496 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 26497 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x88\\x9d\\xf0\\x00\\x00\\x00\\xe8\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x9c!\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "8604" } ], "repeated": 0, "id": 26498 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 26499 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "8604", "caller": "0x7ff6c28ca352", "parentcaller": "0x7ff6c28ca1d6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xe0G\\x00\\x00\\x10\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x14\\x00\\x00 \\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x006\\x001\\x006\\x00A\\x00_\\x00p\\x00h\\x00y\\x00s\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00_\\x000\\x00_\\x00e\\x00n\\x00g\\x00t\\x00y\\x00p\\x00e\\x00_\\x003\\x00D\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x01\\x00\\x00\\x00p\\x00i\\x00d\\x00_\\x004\\x00_\\x00l\\x00u\\x00i\\x00d\\x00_\\x000\\x00x\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00" } ], "repeated": 0, "id": 26500 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c63dd", "parentcaller": "0x7ff6c28bac26", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "5", "pretty_value": "FILE_OVERWRITE_IF" } ], "repeated": 0, "id": 26501 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28bda50", "parentcaller": "0x7ff6c28d9f92", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x1a\\x1ap~\\x00\\x00\\x00\\x00P\\xad\\x15Uz\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5448" } ], "repeated": 0, "id": 26502 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28bdaa2", "parentcaller": "0x7ff6c28d9f92", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "3", "pretty_value": "FILE_OPEN_IF" } ], "repeated": 0, "id": 26503 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4bdc", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x14\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\xb8\\x01\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x01\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00V!\\x83\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\n\\x13\\xb9\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x008!b\\\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00f%\\x1b\\x05\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\x00\\x00\\x00\\x04\\x00\\x00\\x000\\x00,\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x04\\x00\\x08\\x00\\xaey^\\x01\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x05\\x00\\x08\\x00\\x08\\xaf/\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1a\\x00\\x08\\x00\\x05N\\xcea\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x1b\\x00\\x04\\x00y%\\x1b\\x05\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x02\\x00\\x00\\x00(\\x00\\x00\\x00\\x04\\x00\\x00\\x00" } ], "repeated": 0, "id": 26504 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c4a58", "parentcaller": "0x7ff6c28c4c19", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000410" }, { "name": "HandleName", "value": "\\Device\\PcwDrv" }, { "name": "IoControlCode", "value": "0x00224013" }, { "name": "InputBuffer", "value": "\\x18\\x04\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "x\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00 \\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x02\\x00\\x00\\x00d\\x00e\\x00f\\x00a\\x00u\\x00l\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x1b\\xd6\\x85\\xa6\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x08\\x00\\x00\n\\x13\\x0f\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26505 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c6f7b", "parentcaller": "0x7ff6c28bdb94", "category": "misc", "api": "GlobalMemoryStatusEx", "status": true, "return": "0x00000001", "arguments": [ { "name": "MemoryLoad", "value": "31" }, { "name": "TotalPhysicalMB", "value": "8191" } ], "repeated": 0, "id": 26506 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26507 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26508 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c6d7d", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "748" }, { "name": "ProcessName", "value": "C:\\_a4sjgfa\\bin\\GGsGuLID.exe" } ], "repeated": 0, "id": 26509 }, { "timestamp": "2026-05-28 22:03:06,521", "thread_id": "5448", "caller": "0x7ff6c28c6de3", "parentcaller": "0x7ff6c28c087c", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26510 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11284" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26511 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26512 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11284" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26513 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26514 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11284" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26515 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26516 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26517 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 26518 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26519 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a60" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 26520 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26521 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26522 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 26523 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26524 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 26525 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26526 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 26527 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26528 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a60" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 26529 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26530 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26531 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 26532 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26533 }, { "timestamp": "2026-05-28 22:03:06,553", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 26534 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c38f8", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001410", "pretty_value": "PROCESS_VM_READ|PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11284" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26535 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c53e5", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "BaseAddress", "value": "0x3698f67000" }, { "name": "Size", "value": "0x000007c8" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x006\\x80\\xf7\\x7f\\x00\\x00\\xc0\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\xf02\\xe0\\xff\\x8f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcc\\xff\\x8f\\x01\\x00\\x00\\xe0\\xc0\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x003v\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\xff\\x8f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xc4\\x13x\\xfc\\x7f\\x00\\x00\\x17\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00W\\xb3\\xf4}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07W\\xb3\\xf4}\\x00\\x00\\x00\\x00k\\xb5\\xf5}\\x00\\x00(\\x02l\\xb5\\xf5}\\x00\\x00P\\x06m\\xb5\\xf5}\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x9b\\x07m\\xe8\\xff\\xff\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\xad\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\"\\x80\\x8f\\x01\\x00\\x00" } ], "repeated": 0, "id": 26536 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c5414", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "BaseAddress", "value": "0x18fffe032f0" }, { "name": "Size", "value": "0x00000440" }, { "name": "Buffer", "value": "6\\x07\\x00\\x006\\x07\\x00\\x00\\x01 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\x00\\x08\\x02\\x00\\x00\\x00\\x00\\xa0>\\xe0\\xff\\x8f\\x01\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x0089\\xe0\\xff\\x8f\\x01\\x00\\x00h\\x00j\\x00\\x00\\x00\\x00\\x00x9\\xe0\\xff\\x8f\\x01\\x00\\x00\\xf0'\\xe0\\xff\\x8f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00>\\x00@\\x00\\x00\\x00\\x00\\x00\\xe29\\xe0\\xff\\x8f\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\":\\xe0\\xff\\x8f\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00$:\\xe0\\xff\\x8f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26537 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c545d", "parentcaller": "0x7ff6c28c3945", "category": "process", "api": "ReadProcessMemory", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "BaseAddress", "value": "0x18fffe03978" }, { "name": "Size", "value": "0x00000068" }, { "name": "Buffer", "value": "C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00s\\x00v\\x00c\\x00h\\x00o\\x00s\\x00t\\x00.\\x00e\\x00x\\x00e\\x00 \\x00-\\x00k\\x00 \\x00N\\x00e\\x00t\\x00w\\x00o\\x00r\\x00k\\x00S\\x00e\\x00r\\x00v\\x00i\\x00c\\x00e\\x00 \\x00-\\x00p\\x00" } ], "repeated": 0, "id": 26538 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c39ad", "parentcaller": "0x7ff6c28c31bb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26539 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3746", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11284" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26540 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c472e", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000a54" } ], "repeated": 0, "id": 26541 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c4764", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 26542 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c47ed", "parentcaller": "0x7ff6c28c375e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00U+T\\x92\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00(U+T\\x92\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00HU+T\\x92\\x02\\x00\\x00T\\x00S\\x00A\\x00:\\x00/\\x00/\\x00P\\x00r\\x00o\\x00c\\x00U\\x00n\\x00i\\x00q\\x00u\\x00e\\x00\\xbb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe2\\x03\\x0c\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 26543 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c488d", "parentcaller": "0x7ff6c28c375e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26544 }, { "timestamp": "2026-05-28 22:03:06,600", "thread_id": "5448", "caller": "0x7ff6c28c3779", "parentcaller": "0x7ff6c28c31c6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26545 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c05ac", "parentcaller": "0x7ff6c28bdc11", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001400", "pretty_value": "PROCESS_QUERY_INFORMATION|PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11304" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26546 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c068f", "parentcaller": "0x7ff6c28bdc11", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26547 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3e56", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11304" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26548 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c3ebb", "parentcaller": "0x7ff6c28c2d53", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26549 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c45b1", "parentcaller": "0x7ff6c28c3ffc", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "11304" }, { "name": "ProcessName", "value": "C:\\Windows\\System32\\svchost.exe" } ], "repeated": 0, "id": 26550 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c4224", "parentcaller": "0x7ff6c28c2da5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26551 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26552 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 26553 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26554 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a60" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 26555 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf90" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26556 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26557 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 26558 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26559 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e25", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 26560 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x292514c0002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\svchost.exe" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 26561 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 26562 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000a60" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 26563 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000a60" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\svchost.exe.mui" } ], "repeated": 0, "id": 26564 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000a54" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "SectionOffset", "value": "0xf09ddfcf80" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26565 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a54" } ], "repeated": 0, "id": 26566 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 26567 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000a60" } ], "repeated": 0, "id": 26568 }, { "timestamp": "2026-05-28 22:03:06,631", "thread_id": "5448", "caller": "0x7ff6c28c2e75", "parentcaller": "0x7ff6c28c07fb", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x292514c0000" }, { "name": "RegionSize", "value": "0x00010000" } ], "repeated": 0, "id": 26569 } ], "threads": [ "1496", "4708", "3956", "3940", "4592", "4692", "2700", "5448", "7832", "520", "608", "612", "60", "1004", "1276", "3700", "8568", "8588", "8592", "8596", "8600", "8604", "9180", "2988" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\taskmgr.exe\" /4", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6c28b0000", "MainExeSize": "0x00130000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 9188, "process_name": "msedge.exe", "parent_id": 4584, "module_path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "first_seen": "2026-05-28 22:02:01,988", "calls": [ { "timestamp": "2026-05-28 22:02:02,051", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptprimitives" }, { "name": "DllBase", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:02:02,051", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\version" }, { "name": "DllBase", "value": "0x7ffc63ba0000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:02:02,066", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-05-28 22:02:02,066", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:02:02,066", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\Wldp" }, { "name": "DllBase", "value": "0x7ffc75020000" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:02:02,066", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ffc73790000" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:02:02,066", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SHCORE" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:02:02,066", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ffc747f0000" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:02:02,207", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WINMM" }, { "name": "DllBase", "value": "0x7ffc5ca40000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:02:02,207", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge" }, { "name": "DllBase", "value": "0x7ffc1e940000" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-05-28 22:02:02,207", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\KBDUS" }, { "name": "DllBase", "value": "0x7ffc620a0000" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-05-28 22:02:02,207", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\KBDUS" }, { "name": "DllBase", "value": "0x7ffc620a0000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-05-28 22:02:02,207", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ffc730a0000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9212", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc757089f3", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000370" }, { "name": "ThreadHandle", "value": "0x0000036c" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler \"--database=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=148.0.7778.180 \"--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=148.0.3967.83 --initial-client-data=0x348,0x34c,0x350,0x344,0x358,0x7ffc32485d58,0x7ffc32485d64,0x7ffc32485d70" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "9204" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffc734b0000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffc765f0000" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9212", "caller": "0x7ffc757089f3", "parentcaller": "0x7ffc771f7d70", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler \"--database=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=148.0.7778.180 \"--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=148.0.3967.83 --initial-client-data=0x348,0x34c,0x350,0x344,0x358,0x7ffc32485d58,0x7ffc32485d64,0x7ffc32485d70" }, { "name": "CreationFlags", "value": "0x00080000", "pretty_value": "EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "9204" }, { "name": "ThreadId", "value": "9208" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000370" }, { "name": "ThreadHandle", "value": "0x0000036c" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings" }, { "name": "DllBase", "value": "0x7ffc6aa20000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ffc6fce0000" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ffc6fce0000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\USERENV" }, { "name": "DllBase", "value": "0x7ffc75560000" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\gpapi" }, { "name": "DllBase", "value": "0x7ffc73f40000" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wkscli" }, { "name": "DllBase", "value": "0x7ffc747d0000" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-05-28 22:02:02,223", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\netutils" }, { "name": "DllBase", "value": "0x7ffc74b80000" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\MDMRegistration" }, { "name": "DllBase", "value": "0x7ffc5fa20000" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\powrprof" }, { "name": "DllBase", "value": "0x7ffc75460000" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\CRYPTSP" }, { "name": "DllBase", "value": "0x7ffc74f70000" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ncrypt" }, { "name": "DllBase", "value": "0x7ffc75090000" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\imagehlp" }, { "name": "DllBase", "value": "0x7ffc77f00000" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\tbs" }, { "name": "DllBase", "value": "0x7ffc6da10000" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DMCmnUtils" }, { "name": "DllBase", "value": "0x7ffc5b690000" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\omadmapi" }, { "name": "DllBase", "value": "0x7ffc63be0000" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffc75440000" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NTASN1" }, { "name": "DllBase", "value": "0x7ffc75050000" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\MDMRegistration" }, { "name": "DllBase", "value": "0x7ffc5fa20000" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\omadmapi" }, { "name": "DllBase", "value": "0x7ffc63be0000" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\powrprof" }, { "name": "DllBase", "value": "0x7ffc75460000" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffc75440000" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DMCmnUtils" }, { "name": "DllBase", "value": "0x7ffc5b690000" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\CRYPTSP" }, { "name": "DllBase", "value": "0x7ffc74f70000" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ncrypt" }, { "name": "DllBase", "value": "0x7ffc75090000" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NTASN1" }, { "name": "DllBase", "value": "0x7ffc75050000" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\tbs" }, { "name": "DllBase", "value": "0x7ffc6da10000" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\imagehlp" }, { "name": "DllBase", "value": "0x7ffc77f00000" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\netapi32" }, { "name": "DllBase", "value": "0x7ffc6c4d0000" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\cryptsp" }, { "name": "DllBase", "value": "0x7ffc74f70000" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DSREG" }, { "name": "DllBase", "value": "0x7ffc72b70000" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\profapi" }, { "name": "DllBase", "value": "0x7ffc755e0000" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\netapi32" }, { "name": "DllBase", "value": "0x7ffc6c4d0000" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DSREG" }, { "name": "DllBase", "value": "0x7ffc72b70000" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-05-28 22:02:02,238", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\cryptsp" }, { "name": "DllBase", "value": "0x7ffc74f70000" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x7ffc77400000" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\AssignedAccessRuntime" }, { "name": "DllBase", "value": "0x7ffc6a9c0000" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\powrprof" }, { "name": "DllBase", "value": "0x7ffc75460000" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffc75440000" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SystemSettings.DataModel" }, { "name": "DllBase", "value": "0x7ffc6bce0000" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DWrite" }, { "name": "DllBase", "value": "0x7ffc69960000" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\\COMCTL32" }, { "name": "DllBase", "value": "0x7ffc61e00000" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DPAPI" }, { "name": "DllBase", "value": "0x7ffc75430000" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9336", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc6f400000" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-05-28 22:02:02,254", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\IPHLPAPI" }, { "name": "DllBase", "value": "0x7ffc74a70000" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\NLAapi" }, { "name": "DllBase", "value": "0x7ffc70b80000" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\NSI" }, { "name": "DllBase", "value": "0x7ffc771d0000" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\dhcpcsvc6" }, { "name": "DllBase", "value": "0x7ffc6e0c0000" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9332", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CFGMGR32" }, { "name": "DllBase", "value": "0x7ffc75f50000" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9364", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\StructuredQuery" }, { "name": "DllBase", "value": "0x7ffc6ba50000" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\dhcpcsvc" }, { "name": "DllBase", "value": "0x7ffc6e0a0000" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9364", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\PROPSYS" }, { "name": "DllBase", "value": "0x7ffc728f0000" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DNSAPI" }, { "name": "DllBase", "value": "0x7ffc74ab0000" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9400", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS" }, { "name": "DllBase", "value": "0x7ffc665a0000" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x7ffc729f0000" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x7ffc71ec0000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x7ffc72590000" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x7ffc69d70000" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-05-28 22:02:02,269", "thread_id": "9364", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\Windows.Storage.Search" }, { "name": "DllBase", "value": "0x7ffc664d0000" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\twinapi.appcore" }, { "name": "DllBase", "value": "0x7ffc6ff20000" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\twinapi" }, { "name": "DllBase", "value": "0x7ffc60c70000" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9400", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mssprxy" }, { "name": "DllBase", "value": "0x7ffc65b50000" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wevtapi" }, { "name": "DllBase", "value": "0x7ffc6ed50000" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\WindowManagementAPI" }, { "name": "DllBase", "value": "0x7ffc70130000" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\InputHost" }, { "name": "DllBase", "value": "0x7ffc69e70000" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.UI" }, { "name": "DllBase", "value": "0x7ffc69fd0000" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-05-28 22:02:02,285", "thread_id": "9336", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\edputil" }, { "name": "DllBase", "value": "0x7ffc650f0000" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-05-28 22:02:02,301", "thread_id": "9412", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WTSAPI32" }, { "name": "DllBase", "value": "0x7ffc72b20000" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-05-28 22:02:02,301", "thread_id": "9412", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WINSTA" }, { "name": "DllBase", "value": "0x7ffc75370000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-05-28 22:02:02,316", "thread_id": "9480", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ColorAdapterClient" }, { "name": "DllBase", "value": "0x7ffc6fd90000" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-05-28 22:02:02,316", "thread_id": "9480", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\mscms" }, { "name": "DllBase", "value": "0x7ffc6fdb0000" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-05-28 22:02:02,316", "thread_id": "9288", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WINHTTP" }, { "name": "DllBase", "value": "0x7ffc707b0000" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-05-28 22:02:02,316", "thread_id": "9316", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\oneauth" }, { "name": "DllBase", "value": "0x7ffc1e370000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-05-28 22:02:02,332", "thread_id": "9316", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\Secur32" }, { "name": "DllBase", "value": "0x7ffc68dc0000" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-05-28 22:02:02,332", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\iertutil" }, { "name": "DllBase", "value": "0x7ffc6b370000" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-05-28 22:02:02,348", "thread_id": "9504", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc75709666", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000009fc" }, { "name": "ThreadHandle", "value": "0x000009f8" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --startup-read-main-dll --metrics-shmem-handle=2252,i,1852722750093770922,12337795973288601513,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2544 /prefetch:3" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "9660" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-05-28 22:02:02,348", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.Web" }, { "name": "DllBase", "value": "0x7ffc65020000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-05-28 22:02:02,348", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.UI.Immersive" }, { "name": "DllBase", "value": "0x7ffc69be0000" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-05-28 22:02:02,379", "thread_id": "9476", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\LINKINFO" }, { "name": "DllBase", "value": "0x7ffc5e640000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-05-28 22:02:02,426", "thread_id": "9504", "caller": "0x7ffc75709666", "parentcaller": "0x7ffc7604cec4", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --startup-read-main-dll --metrics-shmem-handle=2252,i,1852722750093770922,12337795973288601513,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2544 /prefetch:3" }, { "name": "CreationFlags", "value": "0x00080000", "pretty_value": "EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "9660" }, { "name": "ThreadId", "value": "9664" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x000009fc" }, { "name": "ThreadHandle", "value": "0x000009f8" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-05-28 22:02:02,426", "thread_id": "9472", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000c04" }, { "name": "ThreadHandle", "value": "0x00000a58" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --startup-read-main-dll --metrics-shmem-handle=2148,i,10847598894621438095,12789521635842580643,262144 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=2460 /prefetch:2" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "9744" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-05-28 22:02:02,426", "thread_id": "9724", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000c34" }, { "name": "ThreadHandle", "value": "0x00000c30" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --startup-read-main-dll --metrics-shmem-handle=2712,i,12124658266742785438,6673008252034019867,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2552 /prefetch:8" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "9756" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-05-28 22:02:02,457", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dxgi" }, { "name": "DllBase", "value": "0x7ffc73f70000" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-05-28 22:02:02,473", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\d3d11" }, { "name": "DllBase", "value": "0x7ffc71690000" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-05-28 22:02:02,473", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dcomp" }, { "name": "DllBase", "value": "0x7ffc72020000" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-05-28 22:02:02,473", "thread_id": "9472", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --startup-read-main-dll --metrics-shmem-handle=2148,i,10847598894621438095,12789521635842580643,262144 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=2460 /prefetch:2" }, { "name": "CreationFlags", "value": "0x0008040c", "pretty_value": "CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "9744" }, { "name": "ThreadId", "value": "9748" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000c04" }, { "name": "ThreadHandle", "value": "0x00000a58" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-05-28 22:02:02,473", "thread_id": "9724", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --startup-read-main-dll --metrics-shmem-handle=2712,i,12124658266742785438,6673008252034019867,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2552 /prefetch:8" }, { "name": "CreationFlags", "value": "0x0008040c", "pretty_value": "CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "9756" }, { "name": "ThreadId", "value": "9760" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000c34" }, { "name": "ThreadHandle", "value": "0x00000c30" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-05-28 22:02:02,473", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dataexchange" }, { "name": "DllBase", "value": "0x7ffc5f830000" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-05-28 22:02:02,535", "thread_id": "9316", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.System.Profile.RetailInfo" }, { "name": "DllBase", "value": "0x7ffc63bf0000" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-05-28 22:02:02,598", "thread_id": "9472", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000ef4" }, { "name": "ThreadHandle", "value": "0x00000ef0" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73085097 --ssd-no-pressure-read-main-dll --metrics-shmem-handle=3520,i,12993274521700679940,8746294588575262201,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708991934122588 --mojo-platform-channel-handle=3556 /prefetch:1" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "9972" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-05-28 22:02:02,613", "thread_id": "9476", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000d28" }, { "name": "ThreadHandle", "value": "0x0000086c" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73086337 --skip-read-main-dll --metrics-shmem-handle=3364,i,8287753549644527570,15394987965169516576,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3564 /prefetch:1" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "10004" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-05-28 22:02:02,613", "thread_id": "9476", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73086337 --skip-read-main-dll --metrics-shmem-handle=3364,i,8287753549644527570,15394987965169516576,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3564 /prefetch:1" }, { "name": "CreationFlags", "value": "0x0008040c", "pretty_value": "CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "10004" }, { "name": "ThreadId", "value": "10008" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000d28" }, { "name": "ThreadHandle", "value": "0x0000086c" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-05-28 22:02:02,613", "thread_id": "9472", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73085097 --ssd-no-pressure-read-main-dll --metrics-shmem-handle=3520,i,12993274521700679940,8746294588575262201,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708991934122588 --mojo-platform-channel-handle=3556 /prefetch:1" }, { "name": "CreationFlags", "value": "0x0008040c", "pretty_value": "CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "9972" }, { "name": "ThreadId", "value": "9976" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000ef4" }, { "name": "ThreadHandle", "value": "0x00000ef0" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-05-28 22:02:02,629", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\OLEACC" }, { "name": "DllBase", "value": "0x7ffc5f9a0000" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-05-28 22:02:02,660", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\directmanipulation" }, { "name": "DllBase", "value": "0x7ffc67700000" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-05-28 22:02:02,738", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\dwmapi" }, { "name": "DllBase", "value": "0x7ffc73480000" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-05-28 22:02:02,785", "thread_id": "9528", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\MSASN1" }, { "name": "DllBase", "value": "0x7ffc751b0000" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-05-28 22:02:02,848", "thread_id": "9496", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Well Known Domains\\1.2.0.0\\well_known_domains" }, { "name": "DllBase", "value": "0x7ffc1a480000" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-05-28 22:02:02,863", "thread_id": "9528", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\CRYPTSP" }, { "name": "DllBase", "value": "0x7ffc74f70000" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-05-28 22:02:02,863", "thread_id": "9528", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\rsaenh" }, { "name": "DllBase", "value": "0x7ffc746b0000" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-05-28 22:02:02,879", "thread_id": "10236", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.Security.Authentication.Web.Core" }, { "name": "DllBase", "value": "0x7ffc63280000" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-05-28 22:02:02,879", "thread_id": "9400", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc66790000" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-05-28 22:02:02,879", "thread_id": "9400", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\vaultcli" }, { "name": "DllBase", "value": "0x7ffc5e650000" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-05-28 22:02:02,910", "thread_id": "9400", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MicrosoftAccountWAMExtension" }, { "name": "DllBase", "value": "0x7ffc1a3f0000" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-05-28 22:02:04,223", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-05-28 22:02:04,223", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ffc6fce0000" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-05-28 22:02:04,238", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ffc6fce0000" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-05-28 22:02:04,238", "thread_id": "9276", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-05-28 22:02:05,394", "thread_id": "9268", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\sxs" }, { "name": "DllBase", "value": "0x7ffc754b0000" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-05-28 22:02:05,394", "thread_id": "9268", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\usermgrcli" }, { "name": "DllBase", "value": "0x7ffc70650000" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-05-28 22:02:05,394", "thread_id": "9268", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.Internal.UI.Shell.WindowTabManager" }, { "name": "DllBase", "value": "0x7ffc5d4d0000" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-05-28 22:02:06,629", "thread_id": "9588", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\ShellCommonCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc5cae0000" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-05-28 22:02:09,160", "thread_id": "9276", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000014d0" }, { "name": "ThreadHandle", "value": "0x000014a8" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --skip-read-main-dll --metrics-shmem-handle=5272,i,14100473808991986883,1552638804429653106,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708992871164437 --mojo-platform-channel-handle=5284 /prefetch:8" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "10420" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-05-28 22:02:09,176", "thread_id": "9276", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --skip-read-main-dll --metrics-shmem-handle=5272,i,14100473808991986883,1552638804429653106,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708992871164437 --mojo-platform-channel-handle=5284 /prefetch:8" }, { "name": "CreationFlags", "value": "0x0008040c", "pretty_value": "CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "10420" }, { "name": "ThreadId", "value": "10424" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x000014d0" }, { "name": "ThreadHandle", "value": "0x000014a8" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-05-28 22:02:10,394", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SETUPAPI" }, { "name": "DllBase", "value": "0x7ffc77700000" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-05-28 22:02:10,394", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\netprofm" }, { "name": "DllBase", "value": "0x7ffc70770000" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-05-28 22:02:10,394", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\DEVOBJ" }, { "name": "DllBase", "value": "0x7ffc753d0000" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-05-28 22:02:10,394", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\WINTRUST" }, { "name": "DllBase", "value": "0x7ffc75ee0000" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-05-28 22:02:10,394", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\npmproxy" }, { "name": "DllBase", "value": "0x7ffc6cee0000" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-05-28 22:02:10,426", "thread_id": "9472", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00001640" }, { "name": "ThreadHandle", "value": "0x00001618" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --skip-read-main-dll --metrics-shmem-handle=5624,i,11759773399020994037,14274051796553512958,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708993808206286 --mojo-platform-channel-handle=5652 /prefetch:8" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "10532" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-05-28 22:02:10,457", "thread_id": "9472", "caller": "0x7ff734847d66", "parentcaller": "0x7ff7348481c2", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --skip-read-main-dll --metrics-shmem-handle=5624,i,11759773399020994037,14274051796553512958,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708993808206286 --mojo-platform-channel-handle=5652 /prefetch:8" }, { "name": "CreationFlags", "value": "0x0008040c", "pretty_value": "CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "10532" }, { "name": "ThreadId", "value": "10536" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00001640" }, { "name": "ThreadHandle", "value": "0x00001618" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-05-28 22:02:10,473", "thread_id": "9820", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\telclient" }, { "name": "DllBase", "value": "0x7ffc1a000000" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-05-28 22:02:10,519", "thread_id": "9820", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\oneds" }, { "name": "DllBase", "value": "0x7ffc199a0000" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-05-28 22:02:10,535", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\ffmpeg" }, { "name": "DllBase", "value": "0x7ffc1cb70000" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-05-28 22:02:10,566", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\FirewallAPI" }, { "name": "DllBase", "value": "0x7ffc742d0000" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-05-28 22:02:10,566", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\fwbase" }, { "name": "DllBase", "value": "0x7ffc74290000" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-05-28 22:02:10,582", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\TenantRestrictionsPlugin" }, { "name": "DllBase", "value": "0x7ffc67500000" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-05-28 22:02:10,582", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\microsoft_shell_integration" }, { "name": "DllBase", "value": "0x7ffc5fa10000" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-05-28 22:02:10,613", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\RMCLIENT" }, { "name": "DllBase", "value": "0x7ffc73380000" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-05-28 22:02:10,613", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\XmlLite" }, { "name": "DllBase", "value": "0x7ffc711f0000" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-05-28 22:02:10,613", "thread_id": "9408", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wpnapps" }, { "name": "DllBase", "value": "0x7ffc60e20000" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-05-28 22:02:10,676", "thread_id": "10632", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc75709666", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000177c" }, { "name": "ThreadHandle", "value": "0x00001778" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "10636" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-05-28 22:02:11,801", "thread_id": "10632", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc75709666", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\capauthz" }, { "name": "DllBase", "value": "0x7ffc6db50000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-05-28 22:02:11,816", "thread_id": "10632", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc75709666", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.staterepositorycore" }, { "name": "DllBase", "value": "0x7ffc6a6a0000" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-05-28 22:02:11,816", "thread_id": "10632", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc75709666", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00001780" }, { "name": "ThreadHandle", "value": "0x000000d4" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" }, { "name": "DllPath", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application;" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-05-28 22:02:12,082", "thread_id": "10632", "caller": "0x7ffc75709666", "parentcaller": "0x7ffc7604cec4", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" }, { "name": "CreationFlags", "value": "0x00080400", "pretty_value": "CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "10720" }, { "name": "ThreadId", "value": "10724" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00001780" }, { "name": "ThreadHandle", "value": "0x000000d4" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-05-28 22:02:13,238", "thread_id": "9292", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wlanapi" }, { "name": "DllBase", "value": "0x7ffc6d710000" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-05-28 22:02:13,254", "thread_id": "9292", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wlanapi" }, { "name": "DllBase", "value": "0x7ffc6d710000" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-05-28 22:02:13,254", "thread_id": "9292", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.ApplicationModel" }, { "name": "DllBase", "value": "0x7ffc63700000" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-05-28 22:02:13,254", "thread_id": "9292", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\AppXDeploymentClient" }, { "name": "DllBase", "value": "0x7ffc6e250000" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-05-28 22:02:13,598", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NETAPI32" }, { "name": "DllBase", "value": "0x7ffc6c4d0000" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-05-28 22:02:13,598", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ncrypt" }, { "name": "DllBase", "value": "0x7ffc75090000" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-05-28 22:02:13,598", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NTASN1" }, { "name": "DllBase", "value": "0x7ffc75050000" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-05-28 22:02:13,598", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\PCPKsp" }, { "name": "DllBase", "value": "0x7ffc6da30000" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-05-28 22:02:13,598", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\imagehlp" }, { "name": "DllBase", "value": "0x7ffc77f00000" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-05-28 22:02:13,598", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\tbs" }, { "name": "DllBase", "value": "0x7ffc6da10000" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-05-28 22:02:13,613", "thread_id": "9280", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\ncryptprov" }, { "name": "DllBase", "value": "0x7ffc61590000" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-05-28 22:02:13,801", "thread_id": "9312", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mswsock" }, { "name": "DllBase", "value": "0x7ffc74d80000" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-05-28 22:02:32,316", "thread_id": "9504", "caller": "0x7ffc7570c5f2", "parentcaller": "0x7ffc75709666", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000013ec" }, { "name": "ThreadHandle", "value": "0x000013e8" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --skip-read-main-dll --metrics-shmem-handle=5016,i,10489045321286890553,3537000843862549641,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708995682289984 --mojo-platform-channel-handle=5084 /prefetch:8" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "5484" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-05-28 22:02:35,441", "thread_id": "9504", "caller": "0x7ffc75709666", "parentcaller": "0x7ffc7604cec4", "category": "process", "api": "CreateProcessInternalW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ApplicationName", "value": "" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --skip-read-main-dll --metrics-shmem-handle=5016,i,10489045321286890553,3537000843862549641,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708995682289984 --mojo-platform-channel-handle=5084 /prefetch:8" }, { "name": "CreationFlags", "value": "0x00080000", "pretty_value": "EXTENDED_STARTUPINFO_PRESENT" }, { "name": "ProcessId", "value": "5484" }, { "name": "ThreadId", "value": "5468" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x000013ec" }, { "name": "ThreadHandle", "value": "0x000013e8" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-05-28 22:02:37,988", "thread_id": "9264", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.System.UserProfile.DiagnosticsSettings" }, { "name": "DllBase", "value": "0x7ffc708f0000" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-05-28 22:02:39,426", "thread_id": "9192", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.System.Diagnostics.Telemetry.PlatformTelemetryClient" }, { "name": "DllBase", "value": "0x7ffc708d0000" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-05-28 22:02:39,769", "thread_id": "9192", "caller": "0x7ff7347f0661", "parentcaller": "0x7ff7347ef1a0", "category": "process", "api": "NtCreateUserProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000015e8" }, { "name": "ThreadHandle", "value": "0x000015e4" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" }, { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window" }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "3656" } ], "repeated": 0, "id": 174 } ], "threads": [ "9192", "9212", "9276", "9336", "9332", "9364", "9400", "9412", "9480", "9288", "9316", "9504", "9476", "9472", "9724", "9528", "9496", "10236", "9268", "9588", "9280", "9408", "9820", "10632", "9292", "9312", "9264" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"https://sugarcraft.net/\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff734750000", "MainExeSize": "0x00505000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 10720, "process_name": "identity_helper.exe", "parent_id": 9188, "module_path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe", "first_seen": "2026-05-28 22:02:12,119", "calls": [ { "timestamp": "2026-05-28 22:02:12,338", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc7803c295", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000060", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf" }, { "name": "BaseAddress", "value": "0x7ffc32000000" }, { "name": "InitRoutine", "value": "0x7ffc32182a60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:02:12,369", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc7803c295", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000010", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf" }, { "name": "BaseAddress", "value": "0x7ffc32000000" }, { "name": "InitRoutine", "value": "0x7ffc321dc510" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:02:12,416", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc7803c295", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000074", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf" }, { "name": "BaseAddress", "value": "0x7ffc32000000" }, { "name": "InitRoutine", "value": "0x7ffc321b5c30" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-05-28 22:02:12,463", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc7803c295", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000090", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf" }, { "name": "BaseAddress", "value": "0x7ffc32000000" }, { "name": "InitRoutine", "value": "0x7ffc321dc590" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:02:12,510", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc7803c295", "category": "system", "api": "LdrpCallInitRoutine", "status": false, "return": "0x00000000", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf" }, { "name": "BaseAddress", "value": "0x7ffc32000000" }, { "name": "InitRoutine", "value": "0x7ffc3214efd0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:02:12,557", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc7803c295", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000050", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf" }, { "name": "BaseAddress", "value": "0x7ffc32000000" }, { "name": "InitRoutine", "value": "0x7ffc321b1950" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ff156", "parentcaller": "0x7ffc32200c0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000008", "pretty_value": "PAGE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ffaa7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-fibers-l1-1-2" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ffaa7", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-fibers-l1-1-2" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ffaa7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "FlsGetValue2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ffaa7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ffaa7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32129070", "parentcaller": "0x7ffc321b2c96", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptprimitives" }, { "name": "DllBase", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32129070", "parentcaller": "0x7ffc321b2c96", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32129070", "parentcaller": "0x7ffc321b2c96", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc75fa0000", "arguments": [ { "name": "lpLibFileName", "value": "bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32129089", "parentcaller": "0x7ffc321b2c96", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptprimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75fa0000" }, { "name": "FunctionName", "value": "ProcessPrng" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75fb5010" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321b3b9c", "parentcaller": "0x7ffc321b3d77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000000000" }, { "name": "RegionSize", "value": "0x800000000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321b3b9c", "parentcaller": "0x7ffc321b3d77", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x6dbd3c7e0000" }, { "name": "RegionSize", "value": "0x400000000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321b3c18", "parentcaller": "0x7ffc3212b8df", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x6dbd3c7e1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000004000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000008000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3220006a", "parentcaller": "0x7ffc32200c0a", "category": "misc", "api": "GetCommandLineA", "status": true, "return": "0x2a365405850", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32200077", "parentcaller": "0x7ffc32200c0a", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2a365403e96", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000018000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff6c7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-l1-2-1" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff6c7", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-localization-l1-2-1" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff6c7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "LCMapStringEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756cd3c0" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff6c7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff6c7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000028000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff1d6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32" }, { "name": "BaseAddress", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff1d6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76030000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff1d6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "AreFileApisANSI" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76050f00" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff1d6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff1d6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f00002c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000038000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f00003c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000048000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f00004c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000058000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f00005c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f00006c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000070000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000080000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216c301", "parentcaller": "0x7ffc321efa72", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216c311", "parentcaller": "0x7ffc321efa72", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "GetSystemTimePreciseAsFileTime" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76055350" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000090000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff8f9", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-string-l1-1-0" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff8f9", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-string-l1-1-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff8f9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "CompareStringEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756d7130" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff8f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff8f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff922", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "EnumSystemLocalesEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75737f40" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff922", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff922", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff94b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-datetime-l1-1-1" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ff94b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-datetime-l1-1-1" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff94b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetDateFormatEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc757255b0" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff94b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff94b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff974", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetLocaleInfoEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756d0210" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff974", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff974", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff99d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetTimeFormatEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7572d1a0" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff99d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff99d", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff9c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetUserDefaultLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756eae80" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff9c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff9c6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ff9ef", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "IsValidLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756cad90" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ff9ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ff9ef", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ffa41", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-obsolete-l1-2-0" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffb27", "parentcaller": "0x7ffc321ffa41", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-localization-obsolete-l1-2-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ffa41", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "LCIDToLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756cae60" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ffa41", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ffa41", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc58", "parentcaller": "0x7ffc321ffa6a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "LocaleNameToLCID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75720070" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffbd7", "parentcaller": "0x7ffc321ffa6a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321ffc08", "parentcaller": "0x7ffc321ffa6a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc324af000" }, { "name": "ModuleName", "value": "msedge_elf.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000098000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32177e31", "parentcaller": "0x7ffc320fb049", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32177e31", "parentcaller": "0x7ffc320fb049", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc75fa0000", "arguments": [ { "name": "lpLibFileName", "value": "bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32177e4a", "parentcaller": "0x7ffc320fb049", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptprimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75fa0000" }, { "name": "FunctionName", "value": "ProcessPrng" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75fb5010" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc32170e68", "parentcaller": "0x7ffc32170dc8", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\usp10.dll" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f00009c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216fbd4", "parentcaller": "0x7ffc32170076", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xe7\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216fc42", "parentcaller": "0x7ffc32170076", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2a365403e96", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216fcd6", "parentcaller": "0x7ffc32170076", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216fce6", "parentcaller": "0x7ffc32170076", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "IsWow64Process" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7604f980" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216feef", "parentcaller": "0x7ffc321700f0", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3216feef", "parentcaller": "0x7ffc321700f0", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3217019b", "parentcaller": "0x7ffc321703bc", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00000201", "pretty_value": "KEY_QUERY_VALUE|0x00000200" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321702c2", "parentcaller": "0x7ffc32170346", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "ValueName", "value": "channel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\channel" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321702c2", "parentcaller": "0x7ffc32170346", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "ValueName", "value": "channel" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "stable" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\channel" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc321703ea", "parentcaller": "0x7ffc321708ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-05-28 22:02:12,635", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000038000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000090000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3216feef", "parentcaller": "0x7ffc321700f0", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3216feef", "parentcaller": "0x7ffc321700f0", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3217019b", "parentcaller": "0x7ffc321703bc", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00000201", "pretty_value": "KEY_QUERY_VALUE|0x00000200" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc321702c2", "parentcaller": "0x7ffc32170346", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "ap" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\ap" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc321703ea", "parentcaller": "0x7ffc3217195d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3216feef", "parentcaller": "0x7ffc321700f0", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3216feef", "parentcaller": "0x7ffc321700f0", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3217019b", "parentcaller": "0x7ffc321703bc", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00000201", "pretty_value": "KEY_QUERY_VALUE|0x00000200" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc321702c2", "parentcaller": "0x7ffc32170346", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffff80000005", "pretty_return": "BUFFER_OVERFLOW", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "name" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort\\name" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc321702c2", "parentcaller": "0x7ffc32170346", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "name" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort\\name" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc321703ea", "parentcaller": "0x7ffc321719ed", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "en-AU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-AU" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "en-AU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-AU" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000088" }, { "name": "ValueName", "value": "000603xx" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "kernel32.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76030000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "SortGetHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7603a190" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "SortCloseHandle" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76050170" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000200" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000204" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\SortDefault.nls" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000200" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367500000" }, { "name": "SectionOffset", "value": "0xb8f792e5a0" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000200" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000204" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "en-AU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-AU" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc322332c9", "parentcaller": "0x7ffc3217094e", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000204" }, { "name": "ValueName", "value": "en" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc32170fba", "parentcaller": "0x7ffc32145699", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2a365403e96", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000d4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc321455e1", "parentcaller": "0x7ffc321456aa", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2a365403e96", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 1, "id": 144 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-05-28 22:02:12,650", "thread_id": "10724", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000f0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc3212ba80", "parentcaller": "0x7ffc3212ab16", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f0000f0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc321bf562", "parentcaller": "0x7ffc323775e5", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc321bf562", "parentcaller": "0x7ffc323775e5", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76030000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc323775e5", "parentcaller": "0x7ffc323720c4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "InitializeCriticalSectionEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76054d00" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc321bf3fe", "parentcaller": "0x7ffc32372105", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\pipe\\crashpad_9188_ZJBFJUVMSIRHHEHU" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc321bf425", "parentcaller": "0x7ffc32372105", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\crashpad_9188_ZJBFJUVMSIRHHEHU" }, { "name": "FileInformationClass", "value": "23", "pretty_value": "FilePipeInformation" }, { "name": "FileInformation", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc321bf9bb", "parentcaller": "0x7ffc321bff6d", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc32370ad2", "parentcaller": "0x7ffc3237213f", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ffc32371e30" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc32370ae4", "parentcaller": "0x7ffc3237213f", "category": "hooking", "api": "RtlAddVectoredExceptionHandler", "status": true, "return": "0x2a3653e07e0", "arguments": [ { "name": "First", "value": "1" }, { "name": "Handler", "value": "0x7ffc32371f50" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc32172947", "parentcaller": "0x7ffc321728b9", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc32172947", "parentcaller": "0x7ffc321728b9", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc32272986", "parentcaller": "0x7ffc322728f3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66ccb2000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc322729aa", "parentcaller": "0x7ffc322728f3", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66ccb2000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc322729aa", "parentcaller": "0x7ffc322728f3", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf" }, { "name": "BaseAddress", "value": "0x7ffc32000000" }, { "name": "InitRoutine", "value": "0x7ffc321dd2f0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-05-28 22:02:12,666", "thread_id": "10724", "caller": "0x7ffc64cc125f", "parentcaller": "0x7ffc75d1e473", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 172 }, { "timestamp": "2026-05-28 22:02:12,682", "thread_id": "10724", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365435000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-05-28 22:02:12,682", "thread_id": "10724", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc64cd81dc", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc64e9b000" }, { "name": "ModuleName", "value": "dbghelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-05-28 22:02:12,682", "thread_id": "10724", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-file-l1-2-1.dll" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-05-28 22:02:12,682", "thread_id": "10724", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756de6a1", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-file-l1-2-1.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-05-28 22:02:12,682", "thread_id": "10724", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc64cd8089", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetTempPathW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75724af0" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-05-28 22:02:12,682", "thread_id": "10724", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc64cd826c", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc64e9b000" }, { "name": "ModuleName", "value": "dbghelp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-05-28 22:02:12,682", "thread_id": "10724", "caller": "0x7ffc7571c976", "parentcaller": "0x7ffc64cd826c", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\dbghelp" }, { "name": "BaseAddress", "value": "0x7ffc64cc0000" }, { "name": "InitRoutine", "value": "0x7ffc64cdb1a0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-05-28 22:02:12,697", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc780a3d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x000000a0", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "BaseAddress", "value": "0x7ff66ca90000" }, { "name": "InitRoutine", "value": "0x7ff66cb1fba0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-05-28 22:02:12,713", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc780a3d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000080", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "BaseAddress", "value": "0x7ff66ca90000" }, { "name": "InitRoutine", "value": "0x7ff66cb64280" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-05-28 22:02:12,729", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc780a3d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000061", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "BaseAddress", "value": "0x7ff66ca90000" }, { "name": "InitRoutine", "value": "0x7ff66cb4a0e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-05-28 22:02:12,775", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc780a3d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": false, "return": "0x00000000", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "BaseAddress", "value": "0x7ff66ca90000" }, { "name": "InitRoutine", "value": "0x7ff66cb64300" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-05-28 22:02:12,791", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc780a3d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": false, "return": "0x00000000", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "BaseAddress", "value": "0x7ff66ca90000" }, { "name": "InitRoutine", "value": "0x7ff66cb05840" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-05-28 22:02:12,807", "thread_id": "10724", "caller": "0x7ffc77fe9aff", "parentcaller": "0x7ffc780a3d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000080", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe" }, { "name": "BaseAddress", "value": "0x7ff66ca90000" }, { "name": "InitRoutine", "value": "0x7ff66cb45f80" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-05-28 22:02:12,807", "thread_id": "10724", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 186 }, { "timestamp": "2026-05-28 22:02:12,807", "thread_id": "10724", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff66cb64f90" }, { "name": "Parameter", "value": "0xb8f7be5000" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10844", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000100000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10844", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 189 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10844", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1ed0" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10840", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365505000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10840", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 192 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10840", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb2030" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10836", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365424000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10836", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 195 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10836", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1e10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10832", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000005000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10832", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 198 }, { "timestamp": "2026-05-28 22:02:12,822", "thread_id": "10832", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1a00" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84096", "parentcaller": "0x7ff66cb85b4a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000008", "pretty_value": "PAGE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb849e7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-fibers-l1-1-2" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb849e7", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-fibers-l1-1-2" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb849e7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "FlsGetValue2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb849e7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb849e7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf1500", "parentcaller": "0x7ff66cb47156", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf1500", "parentcaller": "0x7ff66cb47156", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc75fa0000", "arguments": [ { "name": "lpLibFileName", "value": "bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf1519", "parentcaller": "0x7ff66cb47156", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptprimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75fa0000" }, { "name": "FunctionName", "value": "ProcessPrng" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75fb5010" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb4805c", "parentcaller": "0x7ff66cb48237", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000000000" }, { "name": "RegionSize", "value": "0x800000000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb4805c", "parentcaller": "0x7ff66cb48237", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10d7d6d30000" }, { "name": "RegionSize", "value": "0x400000000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb480d8", "parentcaller": "0x7ff66caf297f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x10d7d6d31000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000004000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000008000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84faa", "parentcaller": "0x7ff66cb85b4a", "category": "misc", "api": "GetCommandLineA", "status": true, "return": "0x2a365405850", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84fb7", "parentcaller": "0x7ff66cb85b4a", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2a365403e96", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000018000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84607", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-l1-2-1" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84607", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-localization-l1-2-1" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb84607", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "LCMapStringEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756cd3c0" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb84607", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb84607", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000028000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f00002c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb8b002", "parentcaller": "0x7ff66cb75732", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365425000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000038000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f00003c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000048000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f00004c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f00005c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 229 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f00006c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000070000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000080000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f00008c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f000098000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f00009c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb12d71", "parentcaller": "0x7ff66cb75bf2", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb12d81", "parentcaller": "0x7ff66cb75bf2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "GetSystemTimePreciseAsFileTime" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76055350" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000b4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84834", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32" }, { "name": "BaseAddress", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84834", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76030000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb84834", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "AreFileApisANSI" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc76050f00" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb84834", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb84834", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84839", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-string-l1-1-0" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84839", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-string-l1-1-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb84839", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "CompareStringEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756d7130" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb84839", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb84839", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb84862", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "EnumSystemLocalesEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75737f40" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb84862", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb84862", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb8488b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-datetime-l1-1-1" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb8488b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-datetime-l1-1-1" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb8488b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetDateFormatEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc757255b0" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb8488b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb8488b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb848b4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetLocaleInfoEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756d0210" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb848b4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb848b4", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb848dd", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetTimeFormatEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7572d1a0" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb848dd", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb848dd", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb84906", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "GetUserDefaultLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756eae80" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb84906", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb84906", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb8492f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "IsValidLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756cad90" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb8492f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb8492f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84981", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-obsolete-l1-2-0" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84a67", "parentcaller": "0x7ff66cb84981", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc756b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-localization-obsolete-l1-2-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb84981", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "LCIDToLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc756cae60" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb84981", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb84981", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b98", "parentcaller": "0x7ff66cb849aa", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "LocaleNameToLCID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75720070" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b17", "parentcaller": "0x7ff66cb849aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb84b48", "parentcaller": "0x7ff66cb849aa", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff66cd14000" }, { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb16e14", "parentcaller": "0x7ff66cb16b29", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb16e24", "parentcaller": "0x7ff66cb16b29", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlGetDeviceFamilyInfoEnum" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7800f850" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb16e44", "parentcaller": "0x7ff66cb16b29", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000001fc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb16e44", "parentcaller": "0x7ff66cb16b29", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000001fc" }, { "name": "ValueName", "value": "DeviceForm" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb16e44", "parentcaller": "0x7ff66cb16b29", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cbc68ce", "parentcaller": "0x7ff66caaad91", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2a365403e96", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44315", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44315", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 286 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44315", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44315", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc775b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44331", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "shcore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc775b0000" }, { "name": "FunctionName", "value": "CommandLineToArgvW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc775ceb30" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44348", "parentcaller": "0x7ff66cbc692b", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2a365424e40", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" }, { "name": "NumArgs", "value": "13" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000c0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000dc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44398", "parentcaller": "0x7ff66cbc692b", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365426000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44398", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44398", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44398", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44398", "parentcaller": "0x7ff66cbc692b", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb44398", "parentcaller": "0x7ff66cbc692b", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc775b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b20", "parentcaller": "0x7ff66caf1bb6", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b20", "parentcaller": "0x7ff66caf1bb6", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000dc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaade6", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaadf6", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "WerRegisterCustomMetadata" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7606bbf0" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae16", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366da0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae16", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae16", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 306 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae16", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae16", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366db0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae16", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae81", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 310 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae81", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaae81", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaaf7f", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 313 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaaf7f", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caaaf7f", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000e8000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b20", "parentcaller": "0x7ff66caf1bb6", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000c0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b20", "parentcaller": "0x7ff66caf1bb6", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000e8000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb45da1", "parentcaller": "0x7ff66cc59e0b", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000200" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1ab91", "parentcaller": "0x7ff66cac6aa9", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1ab91", "parentcaller": "0x7ff66cac6aa9", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc75fa0000", "arguments": [ { "name": "lpLibFileName", "value": "bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1abaa", "parentcaller": "0x7ff66cac6aa9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptprimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75fa0000" }, { "name": "FunctionName", "value": "ProcessPrng" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75fb5010" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000c0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1b5e6", "parentcaller": "0x7ff66cb4308f", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc000003a", "pretty_return": "OBJECT_PATH_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\148.0.3967.83\\msedge.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1b5e6", "parentcaller": "0x7ff66cb4308f", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000200" }, { "name": "DesiredAccess", "value": "0xa0100080", "pretty_value": "GENERIC_READ|GENERIC_EXECUTE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge.dll" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1ba1c", "parentcaller": "0x7ff66cb1bc6d", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000200" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge.dll" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1ba51", "parentcaller": "0x7ff66cb1bc6d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x00000214" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36c000000" }, { "name": "SectionOffset", "value": "0xb8f792f650" }, { "name": "ViewSize", "value": "0x136be000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1be04", "parentcaller": "0x7ff66cb1c9a4", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-05-28 22:02:12,854", "thread_id": "10724", "caller": "0x7ff66cb1be14", "parentcaller": "0x7ff66cb1c9a4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "PrefetchVirtualMemory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75736590" } ], "repeated": 0, "id": 329 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66cb1bd36", "parentcaller": "0x7ff66cb41e1d", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36c000000" }, { "name": "RegionSize", "value": "0x136be000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66cb1698c", "parentcaller": "0x7ff66cac4c5a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "ModuleHandle", "value": "0x7ff66ca90000" }, { "name": "FunctionName", "value": "GetHandleVerifier" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff66cb16850" } ], "repeated": 0, "id": 331 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caf2b9b", "parentcaller": "0x7ff66caf254f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x44f0000f8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66cac4cc2", "parentcaller": "0x7ff66cb1bd52", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "71" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66cac4cc2", "parentcaller": "0x7ff66cb1bd52", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66cac4cc2", "parentcaller": "0x7ff66cac6db8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000200" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge" }, { "name": "DllBase", "value": "0x7ffc1e940000" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-fibers-l1-1-2" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-l1-2-1" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32" }, { "name": "BaseAddress", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-string-l1-1-0" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 341 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-datetime-l1-1-1" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 342 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-obsolete-l1-2-0" }, { "name": "BaseAddress", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge.dll" }, { "name": "BaseAddress", "value": "0x7ffc1e940000" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab3c0", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc1e940000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab5f1", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000200" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff66caab680" }, { "name": "Parameter", "value": "0x00000000" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11000" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "identity_helper.exe" } ], "repeated": 0, "id": 347 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab5f1", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000200", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff66caab680" }, { "name": "Parameter", "value": "0x00000000" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11000" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab620", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "msedge.dll" }, { "name": "ModuleHandle", "value": "0x7ffc1e940000" }, { "name": "FunctionName", "value": "ChromeMain" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc1fc4a5c0" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80009c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 352 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000c4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ucrtbase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75d00000" }, { "name": "FunctionName", "value": "signal" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75d718e0" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000d4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800038000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800090000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000d4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ADVAPI32.dll" }, { "name": "BaseAddress", "value": "0x7ffc771e0000" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc771e0000", "arguments": [ { "name": "lpLibFileName", "value": "ADVAPI32.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventRegister" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012e80" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "EventSetInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012af0" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800100000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800108000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000254" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3ed80006c100" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11004" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "msedge.dll" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000254", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3ed80006c100" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11004" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800029000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000d4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80002d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "identity_helper.exe" }, { "name": "ModuleHandle", "value": "0x7ff66ca90000" }, { "name": "FunctionName", "value": "GetHandleVerifier" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff66cb16850" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80010c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80011c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800124000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\icudtl.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000025c" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\icudtl.dat" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000025c" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\icudtl.dat" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x000\\xbe\\x00\\x00\\x00\\x00\\x00\\x00%\\xbe\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000260" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36a100000" }, { "name": "SectionOffset", "value": "0xb8f792e820" }, { "name": "ViewSize", "value": "0x00be3000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\v8_context_snapshot.bin" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000264" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\v8_context_snapshot.bin" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000264" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\v8_context_snapshot.bin" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00@\\x0b\\x00\\x00\\x00\\x00\\x00\\x88=\\x0b\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367840000" }, { "name": "SectionOffset", "value": "0xb8f792ee70" }, { "name": "ViewSize", "value": "0x000b4000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000026c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_100_percent.pak" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000270" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000026c" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_100_percent.pak" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000026c" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_100_percent.pak" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00\\xb0\\x13\\x00\\x00\\x00\\x00\\x00\\xf7\\xa4\\x13\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000270" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367900000" }, { "name": "SectionOffset", "value": "0xb8f792e5d0" }, { "name": "ViewSize", "value": "0x0013b000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000274" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_200_percent.pak" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000278" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000274" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_200_percent.pak" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000274" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_200_percent.pak" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00`\\x1e\\x00\\x00\\x00\\x00\\x00cY\\x1e\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000278" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367a40000" }, { "name": "SectionOffset", "value": "0xb8f792e5d0" }, { "name": "ViewSize", "value": "0x001e6000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80012c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80012d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800138000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800140000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80011c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800138000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800148000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800140000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80011c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800138000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800140000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80014c000" }, { "name": "RegionSize", "value": "0x0000e000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800138000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 411 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800140000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80015c000" }, { "name": "RegionSize", "value": "0x0000a000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 413 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80014c000" }, { "name": "RegionSize", "value": "0x0000e000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800125000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 415 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\Locales" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\Locales\\en-US.pak" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000027c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\Locales\\en-US.pak" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000280" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000027c" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\Locales\\en-US.pak" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000027c" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\Locales\\en-US.pak" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00`\r\\x00\\x00\\x00\\x00\\x00 U\r\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000280" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367c30000" }, { "name": "SectionOffset", "value": "0xb8f792e5e0" }, { "name": "ViewSize", "value": "0x000d6000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000284" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\resources.pak" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000288" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000284" }, { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\resources.pak" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000284" }, { "name": "HandleName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\resources.pak" }, { "name": "FileInformationClass", "value": "5", "pretty_value": "FileStandardInformation" }, { "name": "FileInformation", "value": "\\x00P\\x1d\\x02\\x00\\x00\\x00\\x00LA\\x1d\\x02\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000288" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36c000000" }, { "name": "SectionOffset", "value": "0xb8f792e6e0" }, { "name": "ViewSize", "value": "0x021d5000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80002a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80000a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "RegisterTraceGuidsW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012a10" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-05-28 22:02:12,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "OpenProcessToken" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f6ac0" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000290" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "GetTokenInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f61d0" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xc7\\x04\\x00\\xd8>\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "IsValidSid" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f6d80" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "GetLengthSid" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f68c0" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "ConvertSidToStringSidW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f5a70" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlGetDeviceFamilyInfoEnum" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7800f850" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000290" }, { "name": "ValueName", "value": "DeviceForm" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "USER32.dll" }, { "name": "BaseAddress", "value": "0x7ffc762a0000" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc762a0000", "arguments": [ { "name": "lpLibFileName", "value": "USER32.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "PostThreadMessageW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762c7ee0" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "10720" }, { "name": "ThreadId", "value": "10724" }, { "name": "Message", "value": "0" } ], "repeated": 0, "id": 450 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc762a0000" }, { "name": "FunctionName", "value": "PeekMessageW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc762aa3e0" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQuerySection" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806d9f0" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtDuplicateObject", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000009a8" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000000" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-wow64-l1-1-1.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "IsWow64Process2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc757270e0" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "RegOpenKeyExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f6180" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" }, { "name": "Handle", "value": "0x00000290" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "RegQueryValueExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f6160" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "UBR" }, { "name": "Data", "value": "3803" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" }, { "name": "ValueName", "value": "DisplayVersion" }, { "name": "Data", "value": "22H2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "RegCloseKey" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc771f6930" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000290" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "IsWow64Process2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc757270e0" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000009a8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366dd0000" }, { "name": "SectionOffset", "value": "0xb8f792eec0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366dd0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000009a8" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00001764" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000009a8" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000009a8" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00001764" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367d10000" }, { "name": "SectionOffset", "value": "0xb8f792edb0" }, { "name": "ViewSize", "value": "0x00080000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00001764" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtDuplicateObject", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x000009a0" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000000" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000009a0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367d90000" }, { "name": "SectionOffset", "value": "0xb8f792ebb0" }, { "name": "ViewSize", "value": "0x00040000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800059000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800049000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80004d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80005a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 483 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800178000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800179000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80005b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80017a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80004e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80017b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80017c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000009a0" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800180000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80004a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800190000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00001764" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3ed80006c290" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11008" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "msedge.dll" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00001764", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3ed80006c290" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11008" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80002b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xbe\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xe4)\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "10724" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800140000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80019c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80019d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80019e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 503 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80019f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a0000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80005d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a6000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a9000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "Kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "GetThreadDescription" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc757d8e60" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\x9d@e\\xa3\\x02\\x00\\x00-\\x003\\x009\\x006\\x008\\x006\\x008\\x006\\x000\\x004\\x000\\x00-\\x003\\x002\\x001\\x000\\x002\\x007\\x009\\x004\\x006\\x003\\x00-\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x000\\x000\\x001\\x00\\x00\\x00i\\x00\\x04\\x00\\x069\\xc0\\x1fG\\x17\\xd5\\xb5\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9N@e\\xa3\\x02\\x00\\x00.\\x008\\x003\\x00\\\\x00r\\x00e\\x00s\\x00o\\x00" }, { "name": "ThreadId", "value": "10724" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "WerRegisterCustomMetadata" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7606bbf0" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 528 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 533 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800168000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80004f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80012d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80019d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 551 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a4000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800165000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 554 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x48df11cd3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00002000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 556 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00004000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00004000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00008000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00014000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00014000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 561 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00008000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00008000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 563 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00014000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00014000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00008000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00008000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00024000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00030000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x48df11ed1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800204000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800208000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0003c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00004000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00040000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00050000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00054000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000029c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050200" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11012" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "msedge.dll" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000029c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050200" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11012" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 580 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000298" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11000", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80020a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11000", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00058000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11000", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00068000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11000", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 586 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11000", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff66caab680" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ffc730a0000" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11004", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365436000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-05-28 22:02:12,900", "thread_id": "11004", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000003c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 590 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365437000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000003c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365438000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000003c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ffc730a0000" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc730a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ffc730a0000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc730acde0" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 598 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80020b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 600 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3ed80006c100" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1fc09c51", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002b8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800214000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75711762", "parentcaller": "0x7ffc1ebfd9a5", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800204000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0006c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0007c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0008c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc757d8ec6", "parentcaller": "0x7ffc1fbf0158", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\xa3\\x02\\x00\\x00P\\x81@e\\xa3\\x02\\x00\\x00\\x90\\xf6\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf3\\x92\\xf7\\xb8\\x00\\x00\\x000~@e\\xa3\\x02\\x00\\x00`\\x82@e\\xa3\\x02\\x00\\x00\\x80}@e\\xa3\\x02\\x00\\x00\\xf0\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x83@e\\xa3\\x02\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdbu\\xfc\\x7f\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xcc\\xdeu\\xfc\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11004" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00090000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0009c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 610 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75711762", "parentcaller": "0x7ffc1ebfd9a5", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00090000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75711762", "parentcaller": "0x7ffc1ebfd9a5", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0009c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc1fc0ef1b", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "Kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc7571156c", "parentcaller": "0x7ffc1fc0ef2b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffc76030000" }, { "name": "FunctionName", "value": "SetThreadDescription" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc757239c0" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc1fc0eecc", "parentcaller": "0x7ffc1fc4a10d", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "LoaderLockSampler" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc1fc0eee8", "parentcaller": "0x7ffc1fc4a10d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 616 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0009c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11004", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb4eec1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 620 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365439000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365506000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80020d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 624 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3ed80006c290" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1fc09c51", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002c0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800218000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00025000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc757d8ec6", "parentcaller": "0x7ffc1fbf0158", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\xa3\\x02\\x00\\x00P\\x81@e\\xa3\\x02\\x00\\x00\\x90\\xf6\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xf3\\x92\\xf7\\xb8\\x00\\x00\\x000~@e\\xa3\\x02\\x00\\x00`\\x82@e\\xa3\\x02\\x00\\x00\\x80}@e\\xa3\\x02\\x00\\x00\\xf0\\xc3\\x13x\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x83@e\\xa3\\x02\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xdbu\\xfc\\x7f\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xcc\\xdeu\\xfc\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11008" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00090000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0009e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc1fc0eecc", "parentcaller": "0x7ffc1fc4a10d", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "PerfettoTrace" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc1fc0eee8", "parentcaller": "0x7ffc1fc4a10d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 633 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000bd000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000c0000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000be000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00014000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000c8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000d8000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75711762", "parentcaller": "0x7ffc1ebfd9a5", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed8001a0000" }, { "name": "RegionSize", "value": "0x0000c000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11008", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000006000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80020e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00069000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 645 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050200" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1fc09c51", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002c8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00005000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0008d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc757d8ec6", "parentcaller": "0x7ffc1fbf0158", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\xa3\\x02\\x00\\x00\\xc0\\x7f@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00 O@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00 O@e\\xa3\\x02\\x00\\x00`QAe\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00" }, { "name": "ThreadId", "value": "11012" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0009f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc1fc0eecc", "parentcaller": "0x7ffc1fe31293", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "HangWatcher" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "11012", "caller": "0x7ffc1fc0eee8", "parentcaller": "0x7ffc1fe31293", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 653 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0006d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00059000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0007d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 656 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x7f@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00 O@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00 O@e\\xa3\\x02\\x00\\x00`QAe\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00@U@e\\xa3\\x02\\x00\\x00" }, { "name": "ThreadId", "value": "10724" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "winrt_app_id.CrUtilityMain" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 659 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "shell32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76730000" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76730000", "arguments": [ { "name": "lpLibFileName", "value": "shell32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002e4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050180" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11020" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "msedge.dll" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002e4", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050180" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11020" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002f0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050160" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11024" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "msedge.dll" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-05-28 22:02:12,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002f0", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050160" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11024" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050120" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11028" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "msedge.dll" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002fc", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050120" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11028" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000308" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc000500e0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11032" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "msedge.dll" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000308", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc000500e0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11032" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000bf000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000e8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000f4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00009000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00015000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000ad000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00104000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000e5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0010c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00105000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00006000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00007000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0000a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00110000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00111000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0006a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00114000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0000b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0010d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00118000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0011c000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0000c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00112000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 692 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00120000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00128000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 695 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "8000" } ], "repeated": 0, "id": 696 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 697 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "8000" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11012", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb4ee58", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 699 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11012", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb4ee58", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "Milliseconds", "value": "10000" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36543a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36543b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800210000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 704 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050180" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1fc09c51", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000318" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80021c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75711762", "parentcaller": "0x7ffc1ebfd9a5", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800214000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00051000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00026000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0008e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77fd30fd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3652a1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365447000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 713 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc757d8ec6", "parentcaller": "0x7ffc1fbf0158", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90vDe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11020" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000a0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc1fc0eecc", "parentcaller": "0x7ffc1fc4a10d", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "ThreadPoolServiceThread" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc1fc0eee8", "parentcaller": "0x7ffc1fc4a10d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 717 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11020", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb4eec1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365448000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36543c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800211000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0005a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 723 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050160" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1fc09c51", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000320" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0006e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc757d8ec6", "parentcaller": "0x7ffc1fbf0158", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PzDe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11024" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000a1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc1fc0eecc", "parentcaller": "0x7ffc1fc0ed3f", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "ThreadPoolForegroundWorker" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc1fc0eee8", "parentcaller": "0x7ffc1fc0ed3f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 730 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb94b81", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 731 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11024", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb94b81", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" }, { "name": "Milliseconds", "value": "60532" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11028", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36543d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11028", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800213000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11028", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 735 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11028", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc00050120" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11028", "caller": "0x7ffc7571c6f3", "parentcaller": "0x7ffc7571c5aa", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x14+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11028" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11028", "caller": "0x7ffc7571c728", "parentcaller": "0x7ffc7571c5aa", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "24" }, { "name": "ThreadInformation", "value": "\\x05\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11028" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11028", "caller": "0x7ffc7571c752", "parentcaller": "0x7ffc7571c5aa", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "22" }, { "name": "ThreadInformation", "value": "\\x02\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11028" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36543e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000007000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800220000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 743 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc1fc09bd0" }, { "name": "Parameter", "value": "0x3edc000500e0" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1fc09c51", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000324" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0007e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00027000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0008f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc757d8ec6", "parentcaller": "0x7ffc1fbf0158", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0yDe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc1fc0eecc", "parentcaller": "0x7ffc1fc4a10d", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "Chrome_ChildIOThread" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc1fc0eee8", "parentcaller": "0x7ffc1fc4a10d", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 751 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000ae000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75730e99", "parentcaller": "0x7ffc20419c7a", "category": "filesystem", "api": "NtSetInformationFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "FileInformationClass", "value": "30", "pretty_value": "FileCompletionInformation" }, { "name": "FileInformation", "value": "(\\x03\\x00\\x00\\x00\\x00\\x00\\x00h@\\x0f\\x00\\xdc>\\x00\\x00" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc20419b5f", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00P\\x00\\x00\\x00\\x8a\\x96\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "80" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc20419d2e", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\xad\\xde\\xec\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00`u\\xbfFz&\\x8c \\xd9\\xac\\x9aK\\x1c\\xef\\xb5\\xd3\\x98\\xd96\\xd6\\x04\\xc5\\xe0!g($\\xb6\\xb5j\\xfe\\x18\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00x\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x008\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd1\\x84\\xd9\\x16\\x00T\\x89#\\x1b<\\xe2\\xa3\\x94<%\\x10\\x00\\x00\\x00\\x88\\x01\\x00\\x00\\xe5\\xa3\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "4096" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000f5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1ed84292", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000004" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000032c" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc1ed842a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000004" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366dd0000" }, { "name": "SectionOffset", "value": "0xb8f89fe920" }, { "name": "ViewSize", "value": "0x00020000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ff66cac4c88", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000004" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1f5e0093", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00T\\xaa\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00055000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00016000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00134000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00140000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "48" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00X\\x00\\x00\\x00\\\\xab\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\"\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x05\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "88" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x008\\x01\\x00\\x00\\xff\\xa3\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00H\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd7U\\x8dN\\x00\\x00\\x00\\x00\\x17\\x16\\xcbF\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x05\\x00\\x00@\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "376" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000e6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0010e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00X\\x00\\x00\\x00s\\xab\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\"\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x05\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "88" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xfa\\xad\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00#\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00Q\\xac\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00106000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xfa\\xad\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00#\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xa0\\x01\\x00\\x00S\\xac\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00P\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x87\\x1bV\\x00\\x00\\x00\\x00\\x89\\x0c\\xe5h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "416" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\x11\\xad\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x06\\x00\\x00@\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00X\\x00\\x00\\x00\\xb4\\xb1\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\"\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x07\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "88" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\xcf\\xad\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x06\\x00\\x00@\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00F\\xb3\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000a3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0010f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0006f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00070000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-winrt-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77b70000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-winrt-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "RoInitialize" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c1dd80" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36543f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 791 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 792 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 793 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 794 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000330" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000032c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 795 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000330" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 796 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734bf000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 797 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 798 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 799 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 800 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 801 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 802 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 803 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 804 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 805 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffc734b0000" } ], "repeated": 0, "id": 806 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\x92\\xae\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x06\\x00\\x00@\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 807 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00F\\xb3\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 808 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x93\\xae\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00@\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\x1aQ\\x13\\x01\\x00\\x00\\x00\\x8b\\x0c\\xe5h\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "184" } ], "repeated": 0, "id": 809 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1ed84292", "category": "system", "api": "NtDuplicateObject", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000330" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000000" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 810 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1ed84292", "category": "system", "api": "NtDuplicateObject", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000334" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000000" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 811 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\x18\\x01\\x00\\x00\\xad\\xc0\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x008\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x000\\x03\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8d4\\xe2\r\\xb2\\xb1\\xbc\\xecQ\\xd01\\x1d:M#J@\\x00\\x00\\x008\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x004\\x03\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x08\\x00\\x00\\x00" }, { "name": "Length", "value": "280" } ], "repeated": 0, "id": 812 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x008\\x00\\x00\\x00\\x9f\\xae\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00$\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "56" } ], "repeated": 0, "id": 813 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00X\\x00\\x00\\x00K\\xc2\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\"\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00@\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "88" } ], "repeated": 0, "id": 814 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x005\\xaf\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00@\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 815 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x008\\x01\\x00\\x007\\xaf\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00H\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaa\\xb1\\xd4T\\x00\\x00\\x00\\x00\\x8d\\x0c\\xe5h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x07\\x00\\x00@\\x00\\x00\\x00&\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "312" } ], "repeated": 0, "id": 816 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xbd\\xc4\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 817 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x008\\x00\\x00\\x00(\\xb0\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00$\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "56" } ], "repeated": 0, "id": 818 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xbd\\xc4\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 819 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xbe\\xb0\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 820 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00P\\xc7\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 821 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\x9a\\xb1\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00}\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x07\\x00\\x00@\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 822 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00q\\xb2\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 823 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\xb4\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00#\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 824 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\x08\\xc3\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 825 }, { "timestamp": "2026-05-28 22:02:12,932", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\x0e\\xc3\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00#\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 826 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xee/\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 827 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000338" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 828 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000338" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 829 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000033c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000338" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 830 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 831 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" } ], "repeated": 0, "id": 832 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000338" } ], "repeated": 0, "id": 833 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000003c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 834 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ffc734b0000" }, { "name": "InitRoutine", "value": "0x7ffc734b3f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 835 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 836 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 837 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 838 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 839 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365440000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 840 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 841 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 842 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00150000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 843 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00107000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 844 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtDuplicateObject", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000330" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000000" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 845 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtDuplicateObject", "status": false, "return": "0xffffffffc0000022", "pretty_return": "ACCESS_DENIED", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0x00000334" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000000" }, { "name": "Options", "value": "0x00000000" } ], "repeated": 0, "id": 846 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000330" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366df0000" }, { "name": "SectionOffset", "value": "0xb8f792d160" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 847 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000330" } ], "repeated": 0, "id": 848 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367dd0000" }, { "name": "SectionOffset", "value": "0xb8f792d160" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 849 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000334" } ], "repeated": 0, "id": 850 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00135000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 851 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\x0f\\xda\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 852 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 853 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "7984" } ], "repeated": 0, "id": 854 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 855 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSCTF.dll" } ], "repeated": 0, "id": 856 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000334" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77400000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00114000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 857 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77510000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 858 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 859 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 860 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 861 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774dc000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 862 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774db000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 863 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000334" } ], "repeated": 0, "id": 864 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc774db000" }, { "name": "ModuleName", "value": "MSCTF.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 865 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 866 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x7ffc77400000" } ], "repeated": 0, "id": 867 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\x1c\\xdb\\xf9\\x04\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 868 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msctf" }, { "name": "BaseAddress", "value": "0x7ffc77400000" }, { "name": "InitRoutine", "value": "0x7ffc77440760" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 869 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 870 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 871 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000033c" } ], "repeated": 0, "id": 872 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 873 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 874 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc766c9000" }, { "name": "ModuleName", "value": "IMM32.DLL" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 875 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 876 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ef8000" }, { "name": "ModuleName", "value": "GDI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 877 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 878 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US" } ], "repeated": 0, "id": 879 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 880 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 881 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000340" }, { "name": "ValueName", "value": "en-US" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US" } ], "repeated": 0, "id": 882 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 883 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000340" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\ThemeSection" } ], "repeated": 0, "id": 884 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000340" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367de0000" }, { "name": "SectionOffset", "value": "0xb8f82fe450" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 885 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000033c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Windows\\Theme3891648643" } ], "repeated": 0, "id": 886 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000344" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "\\Sessions\\1\\Windows\\Theme276644042" } ], "repeated": 0, "id": 887 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367de0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 888 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 889 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000033c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36acf0000" }, { "name": "SectionOffset", "value": "0xb8f82feb70" }, { "name": "ViewSize", "value": "0x000e2000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 890 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000344" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367de0000" }, { "name": "SectionOffset", "value": "0xb8f82feb70" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 891 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 892 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 893 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 894 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 895 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 896 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 897 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 898 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000340" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 899 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 900 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 901 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000348" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 902 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 903 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 904 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 905 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000348" } ], "repeated": 0, "id": 906 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 907 }, { "timestamp": "2026-05-28 22:02:12,947", "thread_id": "11000", "caller": "0x7ff66caab737", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000340" } ], "repeated": 0, "id": 908 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc1f58c4eb", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x14+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xfc\\xff\\xff\\xff" }, { "name": "ThreadId", "value": "11028" } ], "repeated": 0, "id": 909 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc1fc09c51", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000348" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 910 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00071000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 911 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00028000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 912 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc757d8ec6", "parentcaller": "0x7ffc1fbf0158", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "38" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0zDe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11028" } ], "repeated": 0, "id": 913 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc1fc0eecc", "parentcaller": "0x7ffc1fc0ed3f", "category": "threading", "api": "SetThreadDescription", "status": true, "return": "0x10000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadDescription", "value": "ThreadPoolBackgroundWorker" } ], "repeated": 0, "id": 914 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc1fc0eee8", "parentcaller": "0x7ffc1fc0ed3f", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 915 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb94b81", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 916 }, { "timestamp": "2026-05-28 22:02:12,963", "thread_id": "11028", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb94b81", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" }, { "name": "Milliseconds", "value": "60500" } ], "repeated": 0, "id": 917 }, { "timestamp": "2026-05-28 22:02:13,822", "thread_id": "10808", "caller": "0x7ffc77ff0880", "parentcaller": "0x7ffc77ff3008", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366e64000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 918 }, { "timestamp": "2026-05-28 22:02:13,822", "thread_id": "10808", "caller": "0x7ffc77ff0880", "parentcaller": "0x7ffc77ff3008", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366f02000" }, { "name": "RegionSize", "value": "0x000fe000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 919 }, { "timestamp": "2026-05-28 22:02:13,822", "thread_id": "10808", "caller": "0x7ffc77ff0880", "parentcaller": "0x7ffc77ff3008", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367002000" }, { "name": "RegionSize", "value": "0x000fe000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 920 }, { "timestamp": "2026-05-28 22:02:13,822", "thread_id": "10808", "caller": "0x7ffc77ff0880", "parentcaller": "0x7ffc77ff3008", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367102000" }, { "name": "RegionSize", "value": "0x000fe000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 921 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\x5ad\\x07\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 922 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 923 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "7078" } ], "repeated": 0, "id": 924 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00154000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 925 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00C\\xaf\\x07\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x05\\x00\\x00@\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 926 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00:\\xb0\\x07\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00}\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 927 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 928 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "7077" } ], "repeated": 0, "id": 929 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xd8\\x00\\x00\\x00\\xc0\\xb1\\x07\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00`\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x81\\x1b\\xcbF\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00@KL\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "216" } ], "repeated": 0, "id": 930 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 931 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "7077" } ], "repeated": 0, "id": 932 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x01\\x00\\x00\\xba\\xb2\\x07\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x00\\x00\\x00\\xc8\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\xc5\\x13'\\x01\\x00\\x00\\x00\\x80\\x1b\\xcbF\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x000\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00.\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00" }, { "name": "Length", "value": "320" } ], "repeated": 0, "id": 933 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\x85\\xb3\\x07\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 934 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-winrt-string-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 935 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77b70000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-winrt-string-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 936 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "WindowsCreateStringReference" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77bb7ac0" } ], "repeated": 0, "id": 937 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "RoGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9c1a0" } ], "repeated": 0, "id": 938 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 939 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CLSIDFromOle1Class" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c1f760" } ], "repeated": 0, "id": 940 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000364" } ], "repeated": 0, "id": 941 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 942 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 943 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xd6\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\\xc0\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xbd\\xd93\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\xd7\\x92\\xf7\\xb8\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xc0\\xd93" } ], "repeated": 0, "id": 944 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000368" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 945 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 946 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 947 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 948 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 949 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 950 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 951 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 952 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 953 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" } ], "repeated": 0, "id": 954 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 955 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 956 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000364" } ], "repeated": 0, "id": 957 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000364" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 958 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000364" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36ade0000" }, { "name": "SectionOffset", "value": "0xb8f792d7c0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 959 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36544a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 960 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x0000036c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3" } ], "repeated": 0, "id": 961 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" }, { "name": "ValueName", "value": "Com+Enabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled" } ], "repeated": 0, "id": 962 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 963 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 964 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000036c" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "clbcatq.dll" } ], "repeated": 0, "id": 965 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000036c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc765f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 966 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76694000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 967 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 968 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 969 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 970 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 971 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76668000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 972 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000036c" } ], "repeated": 0, "id": 973 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76668000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 974 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffc765f0000" } ], "repeated": 0, "id": 975 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365507000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 976 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000370" }, { "name": "EventName", "value": "\\KernelObjects\\MaximumCommitCondition" } ], "repeated": 0, "id": 977 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\clbcatq" }, { "name": "BaseAddress", "value": "0x7ffc765f0000" }, { "name": "InitRoutine", "value": "0x7ffc7660d990" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 978 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 979 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 980 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000374" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\WindowsRuntime" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime" } ], "repeated": 0, "id": 981 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000378" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000374" }, { "name": "ObjectAttributesName", "value": "ActivatableClassId" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId" } ], "repeated": 0, "id": 982 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.UI.Notifications.ToastNotificationManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager" } ], "repeated": 0, "id": 983 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "KeyInformation", "value": "N\\xffc1\\xffec\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00b\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00U\\x00I\\x00.\\x00N\\x00o\\x00t\\x00i\\x00f\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00s\\x00.\\x00T\\x00o\\x00a\\x00s\\x00t\\x00N\\x00o\\x00t\\x00i\\x00f\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\xffd93\\xfffc\\x7f\\x00\\x00\\x19\\x01\\x02\\x00\\xffa3\\x02\\x00\\x00X\\xff8e\\xffb4\\xfff4\\x02;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00H\\xffd4\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xffe8\\xff90\\xffb4\\xfff4\\x02;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xff8dDe\\xffa3\\x02\\x00\\x00\\xfff8\\xffe2\\xffda.\\xfffc\\x7f\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\xffe0\\xff92De\\xffa3\\x02\\x00\\x00\\xff90\\xffd4\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xffe4I\\xffb73\\xfffc\\x7f\\x00\\x00\\xfff8\\xffe2\\xffda.\\xfffc\\x7f\\x00\\x00\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xffff\\xfffft\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff9d\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xffb8\\xffcf\\xffd93\\xfffc\\x7f\\x00\\x00\\xffe0\\xff92De\\xffa3\\x02\\x00\\x00\\xfff8\\xff81\\xffd93\\xfffc\\x7f\\x00\\x00\\x19\\x01\\x02\\x00\\xffa3\\x02\\x00\\x00h\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00t\\x03\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xff80\\xffd4\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff98\\xff85\\xffd93\\xfffc\\x7f\\x00\\x00\\xff90\\xffd4\\xff92\\xfff7\\xffb8\\x00\\x00\\x00`\\x14Ce\\xffa3\\x02\\x00\\x00\\xffb0t\\xffbcw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x10\\xffd6\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xffe0\\xff92De\\xffa3\\x02\\x00\\x00\\xffc0\\xff8dDe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00$\\x00&\\x00\\x00\\x00\\x00\\x00|\\x14Ce\\xffa3\\x02\\x00\\x000\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00t\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffd4\\xff92\\xfff7\\xffb8\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xff92De\\xffa3\\x02\\x00\\x00\\x19h\\xffbcw\\xfffc\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 984 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivationType" } ], "repeated": 0, "id": 985 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Server" } ], "repeated": 0, "id": 986 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\wpnapps.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\DllPath" } ], "repeated": 0, "id": 987 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Threading" } ], "repeated": 0, "id": 988 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\TrustLevel" } ], "repeated": 0, "id": 989 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000037c" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\CustomAttributes" } ], "repeated": 0, "id": 990 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\RemoteServer" } ], "repeated": 0, "id": 991 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateAsUser" } ], "repeated": 0, "id": 992 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 993 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 994 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Type", "value": "0xb800000003" }, { "name": "DataLength", "value": "316" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Permissions" } ], "repeated": 0, "id": 995 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Data", "value": "\\x01\\x00\\x14\\x80$\\x01\\x00\\x000\\x01\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00\\xf4\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x13\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x0b\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\t\\x00L\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x04\\x00\\x00\\x00artx\\xf8.\\x00\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00I\\x00S\\x00M\\x00U\\x00L\\x00T\\x00I\\x00S\\x00E\\x00S\\x00S\\x00I\\x00O\\x00N\\x00S\\x00K\\x00U\\x00\\xa2\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Permissions" } ], "repeated": 0, "id": 996 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 997 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE\\Diagnosis" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis" } ], "repeated": 0, "id": 998 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 999 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd5\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xa3\\x02\\x00\\x001\\xd7\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1f\\x06\\x17\\xbf\\x06\\x1a\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc1jq\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1000 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000037c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 1001 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000037c" }, { "name": "SubKey", "value": "Software\\Classes" }, { "name": "Handle", "value": "0x00000380" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 1002 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" } ], "repeated": 0, "id": 1003 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 1004 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000384" } ], "repeated": 0, "id": 1005 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\xd8\\x92\\xf7\\xb8\\x00\\x00\\x00`\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xff\\xff\\xff\\xff\\xf8\\x81\\xd93\\xfc\\x7f\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xc0\\xd93\\xfc\\x7f\\x00\\x00\\xf8\\xd8\\x92\\xf7\\xb8\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\x02ru\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1006 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1007 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xd8\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00B\\xcc\\xb9w\\xfc\\x7f\\x00\\x00\\xe0\\xd9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xde\\x92\\xf7" } ], "repeated": 0, "id": 1008 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x00000384" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 1009 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000384" }, { "name": "ValueName", "value": "MaxSxSHashCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount" } ], "repeated": 0, "id": 1010 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000384" } ], "repeated": 0, "id": 1011 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 1012 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x7ffc71ec0000" } ], "repeated": 0, "id": 1013 }, { "timestamp": "2026-05-28 22:02:13,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\RMCLIENT" }, { "name": "DllBase", "value": "0x7ffc73380000" } ], "repeated": 0, "id": 1014 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\XmlLite" }, { "name": "DllBase", "value": "0x7ffc711f0000" } ], "repeated": 0, "id": 1015 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\twinapi.appcore" }, { "name": "DllBase", "value": "0x7ffc6ff20000" } ], "repeated": 0, "id": 1016 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\wpnapps" }, { "name": "DllBase", "value": "0x7ffc60e20000" } ], "repeated": 0, "id": 1017 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00\\xe4-\\x08\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x05\\x00\\x00@\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "688" } ], "repeated": 0, "id": 1018 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wpnapps.dll" }, { "name": "BaseAddress", "value": "0x7ffc60e20000" } ], "repeated": 0, "id": 1019 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc60e20000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wpnapps.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 1020 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "ModuleHandle", "value": "0x7ffc60e20000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc60e37a60" } ], "repeated": 0, "id": 1021 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "ModuleHandle", "value": "0x7ffc60e20000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc60e37d00" } ], "repeated": 0, "id": 1022 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "ModuleHandle", "value": "0x7ffc60e20000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc60e3b840" } ], "repeated": 0, "id": 1023 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1024 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1025 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1026 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36544e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1027 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 1028 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 1029 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 1030 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 1031 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365461000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1032 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 1033 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 1034 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 1035 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 1036 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 1037 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000003c0" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 1038 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 1039 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 1040 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 1041 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 1042 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 1043 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 1044 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 1045 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36544f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1046 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365450000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1047 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x000003c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 1048 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c0" }, { "name": "ValueName", "value": "RaiseActivationAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel" } ], "repeated": 0, "id": 1049 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 1050 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c0" } ], "repeated": 0, "id": 1051 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1052 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 1053 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\\xc0\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xbd\\xd93\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xe0\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xc0\\xd93" } ], "repeated": 0, "id": 1054 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003c4" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 1055 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 1056 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "AppID\\identity_helper.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\identity_helper.exe" } ], "repeated": 0, "id": 1057 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 1058 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlWow64GetCurrentMachine" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78020d90" } ], "repeated": 0, "id": 1059 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddress", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlWow64IsWowGuestMachineSupported" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804c670" } ], "repeated": 0, "id": 1060 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "AppID\\identity_helper.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\identity_helper.exe" } ], "repeated": 0, "id": 1061 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x000003c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 1062 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c0" }, { "name": "ValueName", "value": "RaiseDefaultAuthnLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel" } ], "repeated": 0, "id": 1063 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 1064 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000003c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE" } ], "repeated": 0, "id": 1065 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000003c0" }, { "name": "ValueName", "value": "DefaultAccessPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission" } ], "repeated": 0, "id": 1066 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003c8" } ], "repeated": 0, "id": 1067 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1068 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0\\xa8De\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00" } ], "repeated": 0, "id": 1069 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 1070 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000000" } ], "repeated": 0, "id": 1071 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c0" } ], "repeated": 0, "id": 1072 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1073 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1074 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1075 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003c8" } ], "repeated": 0, "id": 1076 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1077 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1078 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1079 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x000029e0" }, { "name": "EventName", "value": "MSFT.VSA.COM.DISABLE.10720" } ], "repeated": 0, "id": 1080 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.IEC.STATUS.6c736db0" } ], "repeated": 0, "id": 1081 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365452000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1082 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x000003d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 1083 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003d2" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000003d6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1084 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1085 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d6" } ], "repeated": 0, "id": 1086 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d2" } ], "repeated": 0, "id": 1087 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Rpc\\Extensions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions" } ], "repeated": 0, "id": 1088 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000003d0" }, { "name": "ValueName", "value": "NdrOleExtDLL" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "combase.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL" } ], "repeated": 0, "id": 1089 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d0" } ], "repeated": 0, "id": 1090 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 1091 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "NdrOleInitializeExtension" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c44240" } ], "repeated": 0, "id": 1092 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77beb0b0" } ], "repeated": 0, "id": 1093 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77be8b50" } ], "repeated": 0, "id": 1094 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c19780" } ], "repeated": 0, "id": 1095 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c22e80" } ], "repeated": 0, "id": 1096 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c21b70" } ], "repeated": 0, "id": 1097 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9a420" } ], "repeated": 0, "id": 1098 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9e790" } ], "repeated": 0, "id": 1099 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1100 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000003d0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1101 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003d4" } ], "repeated": 0, "id": 1102 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1103 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08\\x1fCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1104 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\x04Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1105 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1106 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xf8\\xbeBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1107 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1108 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18\\x04Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1109 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa8\\xe3\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xc8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\x98\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xb8\\xc5\\x92\\xf7" } ], "repeated": 0, "id": 1110 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x04Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xc3\\x92\\xf7\\xb8\\x00\\x00\\x00\\xd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1111 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1112 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\x1fCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1113 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x05Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x002\\x001\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x008\\x006\\x000\\x004\\x000\\x00-\\x003\\x002\\x001\\x000\\x002\\x007\\x009\\x004\\x006\\x003\\x00-\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x00" } ], "repeated": 0, "id": 1114 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1115 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xbfBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1116 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1117 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\\x02Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1118 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00H\\xe7\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x000\\xc2\\x92\\xf7\\xb8\\x00\\x00\\x00(\\xc2\\x92\\xf7\\xb8\\x00\\x00\\x00\\xf8\\xc1\\x92\\xf7\\xb8\\x00\\x00\\x00\\x18\\xc2\\x92\\xf7" } ], "repeated": 0, "id": 1119 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x02Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xc0\\x92\\xf7\\xb8\\x00\\x00\\x00\\xd4\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1120 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d0" } ], "repeated": 0, "id": 1121 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d4" } ], "repeated": 0, "id": 1122 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1123 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 1124 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000003d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a3654615d0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11120" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 1125 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000003d8", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a3654615d0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11120" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 1126 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 1127 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1128 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1129 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003e0" } ], "repeated": 0, "id": 1130 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1131 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\x1cCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1132 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\x01Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1133 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1134 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "h\\xbeBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1135 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1136 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8\\x06Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1137 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xd8\\x9f\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x98\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00h\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x88\\xc9\\x92\\xf7" } ], "repeated": 0, "id": 1138 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x06Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xc7\\x92\\xf7\\xb8\\x00\\x00\\x00\\xe0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1139 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1140 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8\\x1dCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00e\\x00r\\x00s\\x00o\\x00n\\x00a\\x00t\\x00i\\x00o\\x00n\\x00 \\x00D\\x00y\\x00n\\x00a\\x00m\\x00i\\x00c\\x00 \\x00F\\x00a\\x00l\\x00s\\x00e\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1141 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x05Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x002\\x001\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x008\\x006\\x000\\x004\\x000\\x00-\\x003\\x002\\x001\\x000\\x002\\x007\\x009\\x004\\x006\\x003\\x00-\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x00" } ], "repeated": 0, "id": 1142 }, { "timestamp": "2026-05-28 22:02:13,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1143 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xbfBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1144 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1145 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "x\\x01Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1146 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00x\\xe3\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x00\\xc6\\x92\\xf7\\xb8\\x00\\x00\\x00\\xf8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xc8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xe8\\xc5\\x92\\xf7" } ], "repeated": 0, "id": 1147 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x01Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xc3\\x92\\xf7\\xb8\\x00\\x00\\x00\\xe0\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1148 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365454000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1149 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 1150 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1151 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1152 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000003e0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1153 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003d8" } ], "repeated": 0, "id": 1154 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1155 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\x1cCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1156 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\x02Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1157 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1158 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8\\xbdBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1159 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1160 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8\\x0bFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1161 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xd8\\x9f\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x98\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00h\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x88\\xc9\\x92\\xf7" } ], "repeated": 0, "id": 1162 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x0bFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xc7\\x92\\xf7\\xb8\\x00\\x00\\x00\\xd8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1163 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1164 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\x1fCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1165 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\tFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1166 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1167 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xbfBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1168 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1169 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x01Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1170 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00x\\xe3\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x00\\xc6\\x92\\xf7\\xb8\\x00\\x00\\x00\\xf8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xc8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xe8\\xc5\\x92\\xf7" } ], "repeated": 0, "id": 1171 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x01Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xc3\\x92\\xf7\\xb8\\x00\\x00\\x00\\xd8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1172 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003e0" } ], "repeated": 0, "id": 1173 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 1174 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1175 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000034c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1176 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003d8" } ], "repeated": 0, "id": 1177 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1178 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\x1cCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1179 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x0cFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1180 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1181 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08\\xbeBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1182 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1183 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8\\x06Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1184 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xd8\\x9f\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x98\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00h\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x88\\xc9\\x92\\xf7" } ], "repeated": 0, "id": 1185 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x06Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xc7\\x92\\xf7\\xb8\\x00\\x00\\x00\\xd8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1186 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1187 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08\\x1fCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1188 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x06Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1189 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1190 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xbcBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1191 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1192 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18\\x01Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1193 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00x\\xe3\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x00\\xc6\\x92\\xf7\\xb8\\x00\\x00\\x00\\xf8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xc8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xe8\\xc5\\x92\\xf7" } ], "repeated": 0, "id": 1194 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x01Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xc3\\x92\\xf7\\xb8\\x00\\x00\\x00\\xd8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1195 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365462000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1196 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 1197 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 1198 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1199 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000003d8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1200 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000034c" } ], "repeated": 0, "id": 1201 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1202 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08\\x1fCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1203 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x06Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1204 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1205 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xbfBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1206 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1207 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\\x0bFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1208 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xd8\\x9f\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x98\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00h\\xc9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x88\\xc9\\x92\\xf7" } ], "repeated": 0, "id": 1209 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x0bFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xc7\\x92\\xf7\\xb8\\x00\\x00\\x00L\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1210 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1211 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\x1cCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1212 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x0bFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1213 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1214 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xbfBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1215 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1216 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x01Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1217 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00x\\xe3\\xb4\\xf4\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x00\\xc6\\x92\\xf7\\xb8\\x00\\x00\\x00\\xf8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xc8\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00\\xe8\\xc5\\x92\\xf7" } ], "repeated": 0, "id": 1218 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x01Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xc3\\x92\\xf7\\xb8\\x00\\x00\\x00L\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1219 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 1220 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 1221 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1222 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365455000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1223 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11120", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365456000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1224 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11120", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800222000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1225 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11120", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0005b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1226 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11120", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1227 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11120", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a3654615d0" } ], "repeated": 0, "id": 1228 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11120", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365457000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1229 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365458000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1230 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800223000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1231 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0006b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1232 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1233 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x2a365402340" } ], "repeated": 0, "id": 1234 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000003e8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1235 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 1236 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365459000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1237 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1238 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000003f8" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1239 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003fc" } ], "repeated": 0, "id": 1240 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1241 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8\\x1dCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00e\\x00r\\x00s\\x00o\\x00n\\x00a\\x00t\\x00i\\x00o\\x00n\\x00 \\x00D\\x00y\\x00n\\x00a\\x00m\\x00i\\x00c\\x00 \\x00F\\x00a\\x00l\\x00s\\x00e\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1242 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\x0bFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1243 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1244 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\xbfBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1245 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1246 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "x\\x01Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1247 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x18\\xbf\\x99\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00`\\xea\\xbf\\xf8\\xb8\\x00\\x00\\x00X\\xea\\xbf\\xf8\\xb8\\x00\\x00\\x00(\\xea\\xbf\\xf8\\xb8\\x00\\x00\\x00H\\xea\\xbf\\xf8" } ], "repeated": 0, "id": 1248 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x01Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xe8\\xbf\\xf8\\xb8\\x00\\x00\\x00\\xfc\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1249 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1250 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8\\x1fCe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1251 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\x04Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1252 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1253 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "X\\xbfBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1254 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1255 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8\\x01Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1256 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xb8\\x80\\x99\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xc0\\xe6\\xbf\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xe6\\xbf\\xf8\\xb8\\x00\\x00\\x00\\x88\\xe6\\xbf\\xf8\\xb8\\x00\\x00\\x00\\xa8\\xe6\\xbf\\xf8" } ], "repeated": 0, "id": 1257 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x01Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xe4\\xbf\\xf8\\xb8\\x00\\x00\\x00\\xfc\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1258 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1259 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003fc" } ], "repeated": 0, "id": 1260 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11124", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36545a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1261 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f0" } ], "repeated": 0, "id": 1262 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365463000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1263 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1264 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1265 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 1266 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000003f8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a365461750" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11132" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 1267 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000003f8", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a365461750" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11132" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 1268 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003f8" } ], "repeated": 0, "id": 1269 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1270 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1271 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11128", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365464000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1272 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11128", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800225000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1273 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11128", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1274 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11128", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x2a365402340" } ], "repeated": 0, "id": 1275 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365474000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1276 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365475000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1277 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365476000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1278 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365477000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1279 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365478000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1280 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36547c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1281 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36547d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1282 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365513000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1283 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365514000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1284 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000104000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1285 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800226000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1286 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1287 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a365461750" } ], "repeated": 0, "id": 1288 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365465000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1289 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365466000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1290 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000408" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1291 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{E1CDD77A-65D3-4DB0-B339-21F6A48CC2FF}" }, { "name": "Handle", "value": "0x0000040e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{E1CDD77A-65D3-4DB0-B339-21F6A48CC2FF}" } ], "repeated": 0, "id": 1292 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000040e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000412" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E1CDD77A-65D3-4db0-B339-21F6A48CC2FF}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1293 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E1CDD77A-65D3-4db0-B339-21F6A48CC2FF}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1294 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000412" } ], "repeated": 0, "id": 1295 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "11132", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000040e" } ], "repeated": 0, "id": 1296 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1297 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" }, { "name": "Milliseconds", "value": "4000" } ], "repeated": 0, "id": 1298 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 1299 }, { "timestamp": "2026-05-28 22:02:13,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 1300 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000414" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a3654612d0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11136" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 1301 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000414", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a3654612d0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11136" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 1302 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" } ], "repeated": 0, "id": 1303 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365479000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1304 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365481000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1305 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36547e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1306 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800228000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1307 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0005c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1308 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1309 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a3654612d0" } ], "repeated": 0, "id": 1310 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365467000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1311 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000420" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1312 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365468000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1313 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1314 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1315 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{00000035-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x00000426" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 1316 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000426" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1317 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1318 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 1319 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000426" } ], "repeated": 0, "id": 1320 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365482000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1321 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" }, { "name": "Handle", "value": "0x00000426" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}" } ], "repeated": 0, "id": 1322 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000426" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000042a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1323 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1324 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042a" } ], "repeated": 0, "id": 1325 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000426" } ], "repeated": 0, "id": 1326 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1327 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000424" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1328 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000428" } ], "repeated": 0, "id": 1329 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1330 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8#He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1331 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\x05Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1332 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1333 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "X\\xbcBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1334 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1335 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18\\x04Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1336 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00H\\x95\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x000\\xd4\\xef\\xf8\\xb8\\x00\\x00\\x00(\\xd4\\xef\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xd3\\xef\\xf8\\xb8\\x00\\x00\\x00\\x18\\xd4\\xef\\xf8" } ], "repeated": 0, "id": 1337 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x04Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xd2\\xef\\xf8\\xb8\\x00\\x00\\x00(\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1338 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1339 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x98!He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1340 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x06Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1341 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1342 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8\\xbdBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1343 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1344 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\\x08Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1345 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xe8\\x96\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x90\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00\\x88\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00X\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00x\\xd0\\xef\\xf8" } ], "repeated": 0, "id": 1346 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x08Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00x\\xce\\xef\\xf8\\xb8\\x00\\x00\\x00(\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1347 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 1348 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 1349 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1350 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000428" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1351 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000424" } ], "repeated": 0, "id": 1352 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1353 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8)He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1354 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\tFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1355 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1356 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xbcBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1357 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1358 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\\x05Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1359 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00H\\x95\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x000\\xd4\\xef\\xf8\\xb8\\x00\\x00\\x00(\\xd4\\xef\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xd3\\xef\\xf8\\xb8\\x00\\x00\\x00\\x18\\xd4\\xef\\xf8" } ], "repeated": 0, "id": 1360 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x05Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xd2\\xef\\xf8\\xb8\\x00\\x00\\x00$\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1361 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1362 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "x#He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1363 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x06Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1364 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1365 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x18\\xbdBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1366 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1367 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\\x02Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1368 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xe8\\x96\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x90\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00\\x88\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00X\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00x\\xd0\\xef\\xf8" } ], "repeated": 0, "id": 1369 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x02Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00x\\xce\\xef\\xf8\\xb8\\x00\\x00\\x00$\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1370 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000428" } ], "repeated": 0, "id": 1371 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000424" } ], "repeated": 0, "id": 1372 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365483000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1373 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000414" } ], "repeated": 0, "id": 1374 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1375 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 1376 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000042c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a365461150" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11140" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 1377 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000042c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a365461150" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "11140" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 1378 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042c" } ], "repeated": 0, "id": 1379 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36547a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1380 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365484000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1381 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed800229000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1382 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0015c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1383 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1384 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x2a365461150" } ], "repeated": 0, "id": 1385 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365469000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1386 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36546a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1387 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000043c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1388 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{50AC103F-D235-4598-BBEF-98FE4D1A3AD4}" }, { "name": "Handle", "value": "0x00000442" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{50AC103F-D235-4598-BBEF-98FE4D1A3AD4}" } ], "repeated": 0, "id": 1389 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000442" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000446" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{50ac103f-d235-4598-bbef-98fe4d1a3ad4}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1390 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{50ac103f-d235-4598-bbef-98fe4d1a3ad4}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1391 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 1392 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" } ], "repeated": 0, "id": 1393 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" }, { "name": "Handle", "value": "0x00000442" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" } ], "repeated": 0, "id": 1394 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1395 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1396 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd1\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00B\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00 \\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1397 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs" } ], "repeated": 0, "id": 1398 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1399 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000442" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs" } ], "repeated": 0, "id": 1400 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1401 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000442" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1402 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)" } ], "repeated": 0, "id": 1403 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Windows Push Notification Developer Proxy Stub" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)" } ], "repeated": 0, "id": 1404 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000442" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000446" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocServer32" } ], "repeated": 0, "id": 1405 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 1406 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1407 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc75704aa9", "parentcaller": "0x7ffc756e31c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\System32\\wpnapps.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 1408 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 1409 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 1410 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1411 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1412 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xcf\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00B\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xb0\\xd0\\xff\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1413 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32" } ], "repeated": 0, "id": 1414 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1415 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000442" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32" } ], "repeated": 0, "id": 1416 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1417 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1418 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xcf\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00B\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xb0\\xd0\\xff\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1419 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler" } ], "repeated": 0, "id": 1420 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000442" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1421 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000442" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler" } ], "repeated": 0, "id": 1422 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000442" } ], "repeated": 0, "id": 1423 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1424 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1425 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756df588", "parentcaller": "0x7ffc765f2712", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000440" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 1426 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc7571c386", "parentcaller": "0x7ffc7571c25e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000440" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36adf0000" }, { "name": "SectionOffset", "value": "0xb8f8ffd8e0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1427 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" }, { "name": "Handle", "value": "0x00000446" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" } ], "repeated": 0, "id": 1428 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1429 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1430 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xcd\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00F\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xe0\\xce\\xff\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1431 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs" } ], "repeated": 0, "id": 1432 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1433 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs" } ], "repeated": 0, "id": 1434 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1435 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1436 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)" } ], "repeated": 0, "id": 1437 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Windows Push Notification Developer Proxy Stub" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)" } ], "repeated": 0, "id": 1438 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000446" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000044a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocServer32" } ], "repeated": 0, "id": 1439 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000044a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 1440 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1441 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc75704aa9", "parentcaller": "0x7ffc756e31c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\System32\\wpnapps.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 1442 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 1443 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000044a" } ], "repeated": 0, "id": 1444 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1445 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1446 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xcc\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00F\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00p\\xcd\\xff\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1447 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32" } ], "repeated": 0, "id": 1448 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1449 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32" } ], "repeated": 0, "id": 1450 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1451 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1452 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xcc\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00F\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00p\\xcd\\xff\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1453 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler" } ], "repeated": 0, "id": 1454 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1455 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler" } ], "repeated": 0, "id": 1456 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000446" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\LocalServer32" } ], "repeated": 0, "id": 1457 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\AppID" } ], "repeated": 0, "id": 1458 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1459 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1460 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xcb\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00F\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xb0\\xcc\\xff\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1461 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\LocalServer" } ], "repeated": 0, "id": 1462 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000446" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1463 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000446" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\LocalServer" } ], "repeated": 0, "id": 1464 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" }, { "name": "Handle", "value": "0x0000034e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" } ], "repeated": 0, "id": 1465 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000034e" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\Elevation" } ], "repeated": 0, "id": 1466 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034e" } ], "repeated": 0, "id": 1467 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 1468 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" }, { "name": "Handle", "value": "0x00000446" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}" } ], "repeated": 0, "id": 1469 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000446" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs" } ], "repeated": 0, "id": 1470 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 1471 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1472 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1473 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1474 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000444" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1475 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365485000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1476 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000034c" } ], "repeated": 0, "id": 1477 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1478 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "x#He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00w\\x00p\\x00n\\x00a\\x00p\\x00p\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1479 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\tFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1480 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1481 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xbcBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1482 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1483 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\\x0bFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1484 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x08\\x88\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00h\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x008\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00X\\xdf\\xff\\xf8" } ], "repeated": 0, "id": 1485 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x0bFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xdd\\xff\\xf8\\xb8\\x00\\x00\\x00L\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1486 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1487 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1488 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x06Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1489 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1490 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "8\\xbeBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1491 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1492 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X\\x06Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1493 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa8\\x8d\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xc8\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xdb\\xff\\xf8" } ], "repeated": 0, "id": 1494 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x06Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd9\\xff\\xf8\\xb8\\x00\\x00\\x00L\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1495 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000444" } ], "repeated": 0, "id": 1496 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000034c" } ], "repeated": 0, "id": 1497 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1498 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000434" } ], "repeated": 0, "id": 1499 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1500 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{7AB93C52-0E48-4750-BA9D-1A4113981847}" }, { "name": "Handle", "value": "0x00000436" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{7AB93C52-0E48-4750-BA9D-1A4113981847}" } ], "repeated": 0, "id": 1501 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000436" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000446" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7ab93c52-0e48-4750-ba9d-1a4113981847}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1502 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7ab93c52-0e48-4750-ba9d-1a4113981847}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1503 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000446" } ], "repeated": 0, "id": 1504 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000436" } ], "repeated": 0, "id": 1505 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1506 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1507 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1508 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000434" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1509 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000444" } ], "repeated": 0, "id": 1510 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1511 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "8\"He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1512 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\tFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00s\\x00 \\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00o\\x00t\\x00i\\x00f\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00 \\x00D\\x00e\\x00v\\x00e\\x00l\\x00o\\x00p\\x00e\\x00r\\x00 \\x00P\\x00r\\x00o\\x00x\\x00y\\x00 \\x00" } ], "repeated": 0, "id": 1513 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1514 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "X\\xbcBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1515 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1516 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8\tFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1517 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00X\\x8b\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00 \\xde\\xef\\xf8\\xb8\\x00\\x00\\x00\\x18\\xde\\xef\\xf8\\xb8\\x00\\x00\\x00\\xe8\\xdd\\xef\\xf8\\xb8\\x00\\x00\\x00\\x08\\xde\\xef\\xf8" } ], "repeated": 0, "id": 1518 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\tFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xdc\\xef\\xf8\\xb8\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1519 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1520 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8&He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1521 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\x0bFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1522 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1523 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\xbeBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1524 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1525 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X\\x06Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1526 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xf8\\x8c\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x80\\xda\\xef\\xf8\\xb8\\x00\\x00\\x00x\\xda\\xef\\xf8\\xb8\\x00\\x00\\x00H\\xda\\xef\\xf8\\xb8\\x00\\x00\\x00h\\xda\\xef\\xf8" } ], "repeated": 0, "id": 1527 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x06Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00h\\xd8\\xef\\xf8\\xb8\\x00\\x00\\x00D\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1528 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000434" } ], "repeated": 0, "id": 1529 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000444" } ], "repeated": 0, "id": 1530 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042c" } ], "repeated": 0, "id": 1531 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1532 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{5CADDC63-01D3-4C97-986F-0533483FEE14}" }, { "name": "Handle", "value": "0x0000042e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{5CADDC63-01D3-4C97-986F-0533483FEE14}" } ], "repeated": 0, "id": 1533 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000042e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000003da" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5caddc63-01d3-4c97-986f-0533483fee14}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1534 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003da" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5caddc63-01d3-4c97-986f-0533483fee14}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1535 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003da" } ], "repeated": 0, "id": 1536 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042e" } ], "repeated": 0, "id": 1537 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1538 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1539 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1540 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000042c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1541 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000003d8" } ], "repeated": 0, "id": 1542 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1543 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8#He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00w\\x00p\\x00n\\x00a\\x00p\\x00p\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1544 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0\\x0bFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1545 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1546 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\xbeBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1547 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1548 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X\\x0fFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1549 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xd8\\x97\\xf9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xd1\\xdf\\xf8\\xb8\\x00\\x00\\x00\\x98\\xd1\\xdf\\xf8\\xb8\\x00\\x00\\x00h\\xd1\\xdf\\xf8\\xb8\\x00\\x00\\x00\\x88\\xd1\\xdf\\xf8" } ], "repeated": 0, "id": 1550 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x0fFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xcf\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xd8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1551 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1552 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8$He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00w\\x00p\\x00n\\x00a\\x00p\\x00p\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1553 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\\x0eFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1554 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1555 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8\\xbcBe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1556 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1557 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18\rFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1558 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00x\\x9b\\xf9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x00\\xce\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xcd\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xc8\\xcd\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xe8\\xcd\\xdf\\xf8" } ], "repeated": 0, "id": 1559 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\rFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xcb\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xd8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1560 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000042c" } ], "repeated": 0, "id": 1561 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000003d8" } ], "repeated": 0, "id": 1562 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77beb0b0" } ], "repeated": 0, "id": 1563 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77be8b50" } ], "repeated": 0, "id": 1564 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c19780" } ], "repeated": 0, "id": 1565 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c22e80" } ], "repeated": 0, "id": 1566 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c21b70" } ], "repeated": 0, "id": 1567 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9a420" } ], "repeated": 0, "id": 1568 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9e790" } ], "repeated": 0, "id": 1569 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1570 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365486000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1571 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000434" } ], "repeated": 0, "id": 1572 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1573 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" } ], "repeated": 0, "id": 1574 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1575 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{3BC3D253-2F31-4092-9129-8AD5ABF067DA}" }, { "name": "Handle", "value": "0x00000456" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{3BC3D253-2F31-4092-9129-8AD5ABF067DA}" } ], "repeated": 0, "id": 1576 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000456" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000045e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bc3d253-2f31-4092-9129-8ad5abf067da}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1577 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bc3d253-2f31-4092-9129-8ad5abf067da}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1578 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045e" } ], "repeated": 0, "id": 1579 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000456" } ], "repeated": 0, "id": 1580 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1581 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1582 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1583 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000454" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1584 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000045c" } ], "repeated": 0, "id": 1585 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1586 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1587 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x06Fe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\xbb\\xef\\x98\\xfe\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1588 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1589 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(fHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1590 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1591 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X\\x06Fe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1592 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x18\\x8c\\xf9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00`\\xdb\\xdf\\xf8\\xb8\\x00\\x00\\x00X\\xdb\\xdf\\xf8\\xb8\\x00\\x00\\x00(\\xdb\\xdf\\xf8\\xb8\\x00\\x00\\x00H\\xdb\\xdf\\xf8" } ], "repeated": 0, "id": 1593 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x06Fe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xd9\\xdf\\xf8\\xb8\\x00\\x00\\x00\\\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1594 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1595 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "x#He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00w\\x00p\\x00n\\x00a\\x00p\\x00p\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1596 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \nFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1597 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1598 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "HdHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1599 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1600 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\\x0eFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1601 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xb8\\x91\\xf9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xc0\\xd7\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xd7\\xdf\\xf8\\xb8\\x00\\x00\\x00\\x88\\xd7\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xa8\\xd7\\xdf\\xf8" } ], "repeated": 0, "id": 1602 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x0eFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xd5\\xdf\\xf8\\xb8\\x00\\x00\\x00\\\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1603 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" } ], "repeated": 0, "id": 1604 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000045c" } ], "repeated": 0, "id": 1605 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "WindowsCreateString" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77bb81a0" } ], "repeated": 0, "id": 1606 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 1607 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1608 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1609 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1610 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc77c38bd7", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000458" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 1611 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1612 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1613 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000458" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000460" } ], "repeated": 0, "id": 1614 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1615 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36546d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1616 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa0\\xb6Fe\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00@\\xb7Fe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xb7Fe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00t\\xb8Fe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xb8Fe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x90\\xb8Fe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xb8Fe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\xb8Fe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xb8Fe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\x90\\xb7Fe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x16\\xb8Fe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\x1c\\xb8Fe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 1617 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1618 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000458" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000460" } ], "repeated": 0, "id": 1619 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1620 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa0\\xb6Fe\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00@\\xb7Fe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xb7Fe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00t\\xb8Fe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xb8Fe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x90\\xb8Fe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xb8Fe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xb8\\xb8Fe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xb8Fe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\x90\\xb7Fe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x16\\xb8Fe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\x1c\\xb8Fe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 1621 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1622 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60e69183", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 1623 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1624 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1625 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc773f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1626 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc773f8000" }, { "name": "ModuleName", "value": "OLEAUT32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1627 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 1628 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "usermgrcli.dll" } ], "repeated": 0, "id": 1629 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\usermgrcli.dll" } ], "repeated": 0, "id": 1630 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802fa80", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000458" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\usermgrcli.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 1631 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802fa80", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000460" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000458" }, { "name": "FileName", "value": "C:\\Windows\\System32\\usermgrcli.dll" } ], "repeated": 0, "id": 1632 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000460" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70650000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00016000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1633 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc70663000" }, { "name": "ModuleName", "value": "usermgrcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1634 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7065c000" }, { "name": "ModuleName", "value": "usermgrcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1635 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7065c000" }, { "name": "ModuleName", "value": "usermgrcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1636 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7065c000" }, { "name": "ModuleName", "value": "usermgrcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1637 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7065c000" }, { "name": "ModuleName", "value": "usermgrcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1638 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7065b000" }, { "name": "ModuleName", "value": "usermgrcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1639 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1640 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000458" } ], "repeated": 0, "id": 1641 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7065b000" }, { "name": "ModuleName", "value": "usermgrcli.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1642 }, { "timestamp": "2026-05-28 22:02:13,916", "thread_id": "11136", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\usermgrcli" }, { "name": "DllBase", "value": "0x7ffc70650000" } ], "repeated": 0, "id": 1643 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\usermgrcli" }, { "name": "BaseAddress", "value": "0x7ffc70650000" }, { "name": "InitRoutine", "value": "0x7ffc70654250" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 1644 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1645 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1646 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365488000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1647 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365489000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1648 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1649 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{0C9281F9-6DA1-4006-8729-DE6E6B61581C}" }, { "name": "Handle", "value": "0x00000466" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0C9281F9-6DA1-4006-8729-DE6E6B61581C}" } ], "repeated": 0, "id": 1650 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1651 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1652 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xc7\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00f\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x000\\xc8\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1653 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\TreatAs" } ], "repeated": 0, "id": 1654 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1655 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000466" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\TreatAs" } ], "repeated": 0, "id": 1656 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1657 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000466" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1658 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000466" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\(Default)" } ], "repeated": 0, "id": 1659 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000466" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Windows Push Notification Platform" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\(Default)" } ], "repeated": 0, "id": 1660 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000466" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocServer32" } ], "repeated": 0, "id": 1661 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1662 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1663 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xc5\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00f\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xc0\\xc6\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1664 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler32" } ], "repeated": 0, "id": 1665 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1666 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000466" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler32" } ], "repeated": 0, "id": 1667 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1668 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1669 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xc5\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00f\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xc0\\xc6\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1670 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler" } ], "repeated": 0, "id": 1671 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000466" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1672 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000466" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler" } ], "repeated": 0, "id": 1673 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000466" } ], "repeated": 0, "id": 1674 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1675 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1676 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1677 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1678 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000464" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers" } ], "repeated": 0, "id": 1679 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2fe4", "parentcaller": "0x7ffc77c1f195", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000464" }, { "name": "ValueName", "value": "WaitForRestore" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers\\WaitForRestore" } ], "repeated": 0, "id": 1680 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e3018", "parentcaller": "0x7ffc77c1f195", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1681 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 1682 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1683 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000464" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\OLE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE" } ], "repeated": 0, "id": 1684 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2fe4", "parentcaller": "0x7ffc77c1ca47", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000464" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1685 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e3018", "parentcaller": "0x7ffc77c1ca47", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000464" } ], "repeated": 0, "id": 1686 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 1687 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36546e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1688 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc77bb0e64", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 1689 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0e82", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoGetMarshalSizeMax" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77bdc590" } ], "repeated": 0, "id": 1690 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0e9f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77beb0b0" } ], "repeated": 0, "id": 1691 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77be8b50" } ], "repeated": 0, "id": 1692 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0ed9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9e790" } ], "repeated": 0, "id": 1693 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36546f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1694 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365470000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1695 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365471000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1696 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365472000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1697 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000464" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1698 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1699 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c493cc", "parentcaller": "0x7ffc77bec382", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Ole" }, { "name": "Handle", "value": "0x00000468" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole" } ], "repeated": 0, "id": 1700 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c4940c", "parentcaller": "0x7ffc77bec382", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000468" }, { "name": "ValueName", "value": "MaximumAllowedAllocationSize" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaximumAllowedAllocationSize" } ], "repeated": 0, "id": 1701 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c49425", "parentcaller": "0x7ffc77bec382", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000468" } ], "repeated": 0, "id": 1702 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}" }, { "name": "Handle", "value": "0x0000046a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}" } ], "repeated": 0, "id": 1703 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000046a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000046e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1704 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1705 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" } ], "repeated": 0, "id": 1706 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" } ], "repeated": 0, "id": 1707 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x0000046a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 1708 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1709 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1710 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xb7\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x10\\xb8\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1711 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 1712 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1713 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000046a" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 1714 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1715 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000046a" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1716 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 1717 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 1718 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000046a" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000046e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 1719 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 1720 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1721 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1722 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 1723 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" } ], "repeated": 0, "id": 1724 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1725 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1726 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xb5\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xa0\\xb6\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1727 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 1728 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1729 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000046a" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 1730 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1731 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1732 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xb5\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xa0\\xb6\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1733 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 1734 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1735 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000046a" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 1736 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" } ], "repeated": 0, "id": 1737 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1738 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1739 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x0000046a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 1740 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1741 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1742 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xb3\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xd0\\xb4\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1743 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 1744 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1745 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000046a" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 1746 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1747 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000046a" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 1748 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 1749 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)" } ], "repeated": 0, "id": 1750 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000046a" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000046e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32" } ], "repeated": 0, "id": 1751 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 1752 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1753 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 1754 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 1755 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" } ], "repeated": 0, "id": 1756 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1757 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1758 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xb2\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00`\\xb3\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1759 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 1760 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1761 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000046a" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32" } ], "repeated": 0, "id": 1762 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1763 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1764 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xb2\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00`\\xb3\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1765 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 1766 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1767 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000046a" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler" } ], "repeated": 0, "id": 1768 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000046a" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32" } ], "repeated": 0, "id": 1769 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000046a" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID" } ], "repeated": 0, "id": 1770 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 1771 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1772 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xb1\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00j\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xa0\\xb2\\xef\\xf8\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 1773 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" } ], "repeated": 0, "id": 1774 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000046a" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 1775 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000046a" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer" } ], "repeated": 0, "id": 1776 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x0000046e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 1777 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000046e" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation" } ], "repeated": 0, "id": 1778 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" } ], "repeated": 0, "id": 1779 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" } ], "repeated": 0, "id": 1780 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "Handle", "value": "0x0000046a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } ], "repeated": 0, "id": 1781 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000046a" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs" } ], "repeated": 0, "id": 1782 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046a" } ], "repeated": 0, "id": 1783 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1784 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1785 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc6f400000" } ], "repeated": 0, "id": 1786 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "BaseAddress", "value": "0x7ffc6f400000" } ], "repeated": 0, "id": 1787 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc6f400000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 1788 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6f400000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6f416540" } ], "repeated": 0, "id": 1789 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6f400000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 1790 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc6f400000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6f4165f0" } ], "repeated": 0, "id": 1791 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36548a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1792 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1793 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1794 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1795 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc770a7be3", "parentcaller": "0x7ffc770e15ab", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1796 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1797 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}" }, { "name": "Handle", "value": "0x00000472" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}" } ], "repeated": 0, "id": 1798 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000472" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000476" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1799 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1800 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 1801 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000472" } ], "repeated": 0, "id": 1802 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1803 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1804 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1805 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1806 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1807 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1808 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1809 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36548b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1810 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36548c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1811 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}" }, { "name": "Handle", "value": "0x00000472" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}" } ], "repeated": 0, "id": 1812 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000472" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000476" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1813 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1814 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 1815 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000472" } ], "repeated": 0, "id": 1816 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1817 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1818 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{A819F3DE-60AA-5159-8407-F0A7FB1F6832}" }, { "name": "Handle", "value": "0x00000472" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{A819F3DE-60AA-5159-8407-F0A7FB1F6832}" } ], "repeated": 0, "id": 1819 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000472" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000476" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{a819f3de-60aa-5159-8407-f0a7fb1f6832}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1820 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{a819f3de-60aa-5159-8407-f0a7fb1f6832}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1821 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 1822 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000472" } ], "repeated": 0, "id": 1823 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1824 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1825 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1826 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000470" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1827 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000474" } ], "repeated": 0, "id": 1828 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1829 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8)He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00u\\x00s\\x00e\\x00r\\x00m\\x00g\\x00r\\x00c\\x00l\\x00i\\x00.\\x00d\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 1830 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "`\\x0fFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x9eVP\\xd6\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1831 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1832 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x18dHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1833 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1834 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8rHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1835 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x18\\x95\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00`\\xd4\\xef\\xf8\\xb8\\x00\\x00\\x00X\\xd4\\xef\\xf8\\xb8\\x00\\x00\\x00(\\xd4\\xef\\xf8\\xb8\\x00\\x00\\x00H\\xd4\\xef\\xf8" } ], "repeated": 0, "id": 1836 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000rHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00H\\xd2\\xef\\xf8\\xb8\\x00\\x00\\x00t\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1837 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1838 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08%He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1839 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0rHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x000\\x002\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x000\\x000\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1840 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1841 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x88`He\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1842 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1843 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "xwHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1844 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xb8\\x96\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xc0\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00\\x88\\xd0\\xef\\xf8\\xb8\\x00\\x00\\x00\\xa8\\xd0\\xef\\xf8" } ], "repeated": 0, "id": 1845 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00pwHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xce\\xef\\xf8\\xb8\\x00\\x00\\x00t\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1846 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 1847 }, { "timestamp": "2026-05-28 22:02:13,932", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 1848 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" } ], "repeated": 0, "id": 1849 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1850 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36548d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1851 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000454" } ], "repeated": 0, "id": 1852 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1853 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "WindowsDeleteString" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77bb7690" } ], "repeated": 0, "id": 1854 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 1855 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1856 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000470" } ], "repeated": 0, "id": 1857 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [ { "name": "Status", "value": "Log limit reached" } ], "repeated": 0, "id": 1858 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 1859 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 1860 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 1861 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}" }, { "name": "Handle", "value": "0x00000476" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}" } ], "repeated": 0, "id": 1862 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000476" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000046e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1863 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1864 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" } ], "repeated": 0, "id": 1865 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 1866 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1867 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1868 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1869 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1870 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000046c" } ], "repeated": 0, "id": 1871 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1872 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8!He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00k\\xc6\\x16\\xe3\n\\xd6\\xc6J\\x0c\\x04\\x00\\x00\\xa0\t\\xff\\xff\\xf8_\\xc8K\\x92\\x91\\x9d\\xa8LMEM0\\x00\\x00\\x00\\xd8\\xe6\\xef\\xf8\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1873 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xa0rHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x84\\x07\\xf0\\xa7\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1874 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1875 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "8bHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1876 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1877 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "XsHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1878 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x08\\x88\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00h\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x008\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00X\\xdf\\xff\\xf8" } ], "repeated": 0, "id": 1879 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PsHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xdd\\xff\\xf8\\xb8\\x00\\x00\\x00l\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1880 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1881 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xf8 He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xc3\\xf4`\\xfc\\x7f\\x00\\x00\\xf0\\xec\\xdbw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1882 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80qHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00R\\x00E\\x00G\\x00I\\x00S\\x00T\\x00R\\x00Y\\x00\\\\x00U\\x00S\\x00E\\x00R\\x00\\\\x00S\\x00-\\x001\\x00" } ], "repeated": 0, "id": 1883 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1884 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe8`He\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1885 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1886 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8uHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1887 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa8\\x8d\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xc8\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xdb\\xff\\xf8" } ], "repeated": 0, "id": 1888 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0uHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd9\\xff\\xf8\\xb8\\x00\\x00\\x00l\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1889 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 1890 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 1891 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 1892 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{79AB57F6-43FE-487B-8A7F-99567200AE94}" }, { "name": "Handle", "value": "0x0000047a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{79AB57F6-43FE-487B-8A7F-99567200AE94}" } ], "repeated": 0, "id": 1893 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000047a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000476" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{79ab57f6-43fe-487b-8a7f-99567200ae94}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1894 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{79ab57f6-43fe-487b-8a7f-99567200ae94}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1895 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 1896 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047a" } ], "repeated": 0, "id": 1897 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1898 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1899 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1900 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000478" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1901 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000474" } ], "repeated": 0, "id": 1902 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1903 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8(He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xc3\\xf4`\\xfc\\x7f\\x00\\x00\\xf0\\xec\\xdbw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1904 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80tHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\\\x00S\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x001\\x00-\\x003\\x009\\x006\\x008\\x006\\x008\\x006\\x000\\x004\\x000\\x00-\\x003\\x002\\x001\\x000\\x002\\x007\\x009\\x004\\x006\\x003\\x00-\\x008\\x004\\x007\\x009\\x00" } ], "repeated": 0, "id": 1905 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1906 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xd8dHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1907 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1908 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18wHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1909 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xd8\\x97\\xf9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xd1\\xdf\\xf8\\xb8\\x00\\x00\\x00\\x98\\xd1\\xdf\\xf8\\xb8\\x00\\x00\\x00h\\xd1\\xdf\\xf8\\xb8\\x00\\x00\\x00\\x88\\xd1\\xdf\\xf8" } ], "repeated": 0, "id": 1910 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10wHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x88\\xcf\\xdf\\xf8\\xb8\\x00\\x00\\x00t\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1911 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1912 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8)He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00l\\x00l\\x00" } ], "repeated": 0, "id": 1913 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0wHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1914 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1915 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08eHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1916 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1917 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8{He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1918 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00x\\x9b\\xf9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x00\\xce\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xcd\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xc8\\xcd\\xdf\\xf8\\xb8\\x00\\x00\\x00\\xe8\\xcd\\xdf\\xf8" } ], "repeated": 0, "id": 1919 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0{He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xe8\\xcb\\xdf\\xf8\\xb8\\x00\\x00\\x00t\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1920 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 1921 }, { "timestamp": "2026-05-28 22:02:13,947", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 1922 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 1923 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}" }, { "name": "Handle", "value": "0x0000046e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}" } ], "repeated": 0, "id": 1924 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000046e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000047a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1925 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1926 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047a" } ], "repeated": 0, "id": 1927 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046e" } ], "repeated": 0, "id": 1928 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1929 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1930 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36548f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1931 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1932 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000046c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 1933 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000478" } ], "repeated": 0, "id": 1934 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1935 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8$He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\\\x00L\\x00R\\x00P\\x00C\\x00-\\x00a\\x00d\\x00a\\x00c\\x005\\x006\\x00a\\x00b\\x000\\x007\\x009\\x00d\\x003\\x002\\x003\\x00c\\x009\\x009\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1936 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00vHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1937 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1938 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xf8eHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1939 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1940 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "XsHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1941 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x08\\x88\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00h\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x008\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00X\\xdf\\xff\\xf8" } ], "repeated": 0, "id": 1942 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PsHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xdd\\xff\\xf8\\xb8\\x00\\x00\\x00x\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1943 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1944 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xf8 He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xc3\\xf4`\\xfc\\x7f\\x00\\x00\\xf0\\xec\\xdbw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 1945 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0yHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\\\x00R\\x00E\\x00G\\x00I\\x00S\\x00T\\x00R\\x00Y\\x00\\\\x00U\\x00S\\x00E\\x00R\\x00\\\\x00S\\x00-\\x001\\x00" } ], "repeated": 0, "id": 1946 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1947 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "HaHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 1948 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1949 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8qHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 1950 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa8\\x8d\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xc8\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xdb\\xff\\xf8" } ], "repeated": 0, "id": 1951 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0qHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd9\\xff\\xf8\\xb8\\x00\\x00\\x00x\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 1952 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 1953 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 1954 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 1955 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 1956 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc77c38bd7", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000478" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 1957 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000478" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000480" } ], "repeated": 0, "id": 1958 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1959 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365490000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1960 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365491000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1961 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\x00Ie\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\x00Ie\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x01Ie\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$\\x02Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x02Ie\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\x02Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x02Ie\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\x02Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x02Ie\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@\\x01Ie\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc6\\x01Ie\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc\\x01Ie\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 1962 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000480" } ], "repeated": 0, "id": 1963 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000478" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000480" } ], "repeated": 0, "id": 1964 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 1965 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\x00Ie\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\x00Ie\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x01Ie\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$\\x02Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x02Ie\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\x02Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x02Ie\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\x02Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x02Ie\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@\\x01Ie\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc6\\x01Ie\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc\\x01Ie\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 1966 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000480" } ], "repeated": 0, "id": 1967 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60e69183", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 1968 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1969 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1970 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1971 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1972 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000480" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 1973 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1974 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1975 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}" }, { "name": "Handle", "value": "0x00000486" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}" } ], "repeated": 0, "id": 1976 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000486" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000048a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1977 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1978 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" } ], "repeated": 0, "id": 1979 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000486" } ], "repeated": 0, "id": 1980 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1981 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1982 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}" }, { "name": "Handle", "value": "0x00000486" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}" } ], "repeated": 0, "id": 1983 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000486" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000048a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1984 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1985 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" } ], "repeated": 0, "id": 1986 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000486" } ], "repeated": 0, "id": 1987 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1988 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1989 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}" }, { "name": "Handle", "value": "0x00000486" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}" } ], "repeated": 0, "id": 1990 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000486" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000048a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1991 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1992 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" } ], "repeated": 0, "id": 1993 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000486" } ], "repeated": 0, "id": 1994 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 1995 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 1996 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}" }, { "name": "Handle", "value": "0x00000486" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}" } ], "repeated": 0, "id": 1997 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000486" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000048a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}\\ProxyStubClsid32" } ], "repeated": 0, "id": 1998 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 1999 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048a" } ], "repeated": 0, "id": 2000 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000486" } ], "repeated": 0, "id": 2001 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2002 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2003 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2004 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000484" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 2005 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000488" } ], "repeated": 0, "id": 2006 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2007 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H!He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00E\\xb6\\xb7\\xc5\\xe6\\xb3\\x089\\x07l\\x00\\x00\\xe0)\\x00\\x003l\\x8cZ7V\\xaf\\xf4LMEM0\\x00\\x00\\x00X\\xdd\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2008 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " wHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00F\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2009 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2010 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x88`He\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2011 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2012 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8{He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2013 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xc8\\x93\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xb0\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\xa8\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00x\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xd5\\xff\\xf8" } ], "repeated": 0, "id": 2014 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000{He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xd3\\xff\\xf8\\xb8\\x00\\x00\\x00\\x88\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2015 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2016 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xf8 He\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xc3\\xf4`\\xfc\\x7f\\x00\\x00\\xf0\\xec\\xdbw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2017 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80tHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00K74\\xb1\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00_\\x008\\x00pqHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2018 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2019 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xb8cHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2020 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2021 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98{He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2022 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00h\\x97\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x10\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\x08\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\xd8\\xd1\\xff\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xd1\\xff\\xf8" } ], "repeated": 0, "id": 2023 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90{He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xcf\\xff\\xf8\\xb8\\x00\\x00\\x00\\x88\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2024 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" } ], "repeated": 0, "id": 2025 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000488" } ], "repeated": 0, "id": 2026 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000484" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Foundation.Diagnostics.AsyncCausalityTracer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer" } ], "repeated": 0, "id": 2027 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000484" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00f\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00F\\x00o\\x00u\\x00n\\x00d\\x00a\\x00t\\x00i\\x00o\\x00n\\x00.\\x00D\\x00i\\x00a\\x00g\\x00n\\x00o\\x00s\\x00t\\x00i\\x00c\\x00s\\x00.\\x00A\\x00s\\x00y\\x00n\\x00c\\x00C\\x00a\\x00u\\x00s\\x00a\\x00l\\x00i\\x00t\\x00y\\x00T\\x00r\\x00a\\x00c\\x00e\\x00r\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffb0He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffc4\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffe09He\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffde\\xffb9>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x1bFe\\xffa3\\x02\\x00\\x00\\xfff8\\xffb0He\\xffa3\\x02\\x00\\x00\\xffd0\\xffb0He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffe09He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffb0He\\xffa3\\x02\\x00\\x00\\xffe09He\\xffa3\\x02\\x00\\x00\\x10\\x1bFe\\xffa3\\x02\\x00\\x00\\xffb0)He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x1bFe\\xffa3\\x02\\x00\\x00P.Fe\\xffa3\\x02\\x00\\x00P.Fe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe09He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P.Fe\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffe09He\\xffa3\\x02\\x00\\x00\\xffb0)He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xffc5\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x000/Fe\\xffa3\\x02\\x00\\x00\\xffd0\\xffb0He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2028 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivationType" } ], "repeated": 0, "id": 2029 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Server" } ], "repeated": 0, "id": 2030 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\combase.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\DllPath" } ], "repeated": 0, "id": 2031 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Threading" } ], "repeated": 0, "id": 2032 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\TrustLevel" } ], "repeated": 0, "id": 2033 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000484" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\CustomAttributes" } ], "repeated": 0, "id": 2034 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\RemoteServer" } ], "repeated": 0, "id": 2035 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateAsUser" } ], "repeated": 0, "id": 2036 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2037 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2038 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Permissions" } ], "repeated": 0, "id": 2039 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2040 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" } ], "repeated": 0, "id": 2041 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\combase.dll" }, { "name": "BaseAddress", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 2042 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77b70000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\combase.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 2043 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c258a0" } ], "repeated": 0, "id": 2044 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c4f090" } ], "repeated": 0, "id": 2045 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 2046 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ole32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76f60000" } ], "repeated": 0, "id": 2047 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc76f60000", "arguments": [ { "name": "lpLibFileName", "value": "ole32.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 2048 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ole32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc76f60000" }, { "name": "FunctionName", "value": "CoCreateFreeThreadedMarshaler" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77be87a0" } ], "repeated": 0, "id": 2049 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\x00u\t\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 2050 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Classes\\CLSID\\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\\LocalServer32" }, { "name": "Handle", "value": "0x00000484" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\\LocalServer32" } ], "repeated": 0, "id": 2051 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" } ], "repeated": 0, "id": 2052 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000484" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Background.BackgroundExecutionManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager" } ], "repeated": 0, "id": 2053 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000484" }, { "name": "KeyInformation", "value": "[\\xff9a\\xffe5\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00|\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00B\\x00a\\x00c\\x00k\\x00g\\x00r\\x00o\\x00u\\x00n\\x00d\\x00.\\x00B\\x00a\\x00c\\x00k\\x00g\\x00r\\x00o\\x00u\\x00n\\x00d\\x00E\\x00x\\x00e\\x00c\\x00u\\x00t\\x00i\\x00o\\x00n\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffcd\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffa0~De\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x0e\\xffb3>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x1cFe\\xffa3\\x02\\x00\\x00x\\xffb9He\\xffa3\\x02\\x00\\x00P\\xffb9He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffa0~De\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb9He\\xffa3\\x02\\x00\\x00\\xffa0~De\\xffa3\\x02\\x00\\x00P\\x1cFe\\xffa3\\x02\\x00\\x00\\x00*He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x1cFe\\xffa3\\x02\\x00\\x00\\xffc0\\x07Ie\\xffa3\\x02\\x00\\x00\\xffc0\\x07Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0~De\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\x07Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffa0~De\\xffa3\\x02\\x00\\x00\\x00*He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffce\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00P.Fe\\xffa3\\x02\\x00\\x00P\\xffb9He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2054 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivationType" } ], "repeated": 0, "id": 2055 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Server" } ], "repeated": 0, "id": 2056 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\execmodelclient.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\DllPath" } ], "repeated": 0, "id": 2057 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Threading" } ], "repeated": 0, "id": 2058 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\TrustLevel" } ], "repeated": 0, "id": 2059 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000484" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\CustomAttributes" } ], "repeated": 0, "id": 2060 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\RemoteServer" } ], "repeated": 0, "id": 2061 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateAsUser" } ], "repeated": 0, "id": 2062 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2063 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2064 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Permissions" } ], "repeated": 0, "id": 2065 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000484" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2066 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000484" } ], "repeated": 0, "id": 2067 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\PROPSYS" }, { "name": "DllBase", "value": "0x7ffc728f0000" } ], "repeated": 0, "id": 2068 }, { "timestamp": "2026-05-28 22:02:13,963", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 2069 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc60e7b596", "parentcaller": "0x7ffc780138c0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2070 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc60e7b5d6", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 2071 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc60e7b5f6", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000046c" } ], "repeated": 0, "id": 2072 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc60e7b625", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2073 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60e7b635", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000046c" } ], "repeated": 0, "id": 2074 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60e7b644", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 2075 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c5b05", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x80+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11136" } ], "repeated": 0, "id": 2076 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756dcc1f", "parentcaller": "0x7ffc7604b8ed", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000048c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x2a365507ef0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11156" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "shcore.dll" } ], "repeated": 0, "id": 2077 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756dcc1f", "parentcaller": "0x7ffc7604b8ed", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000048c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x2a365507ef0" }, { "name": "CreationFlags", "value": "0x00000004" }, { "name": "ThreadId", "value": "11156" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 2078 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc7572f430", "parentcaller": "0x7ffc775c5379", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000048c" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "11156" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 2079 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc775c5394", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000048c" } ], "repeated": 0, "id": 2080 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc775c5f99", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2081 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000003c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 2082 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x7ffc729f0000" } ], "repeated": 0, "id": 2083 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\execmodelclient" }, { "name": "DllBase", "value": "0x7ffc63990000" } ], "repeated": 0, "id": 2084 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xd8\\x00\\x00\\x00q\\xa5\t\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00`\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xdc\\x19\\xcbF\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00@KL\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "408" } ], "repeated": 0, "id": 2085 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\execmodelclient.dll" }, { "name": "BaseAddress", "value": "0x7ffc63990000" } ], "repeated": 0, "id": 2086 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc63990000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\execmodelclient.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 2087 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63990000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6399ac80" } ], "repeated": 0, "id": 2088 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63990000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6399b9b0" } ], "repeated": 0, "id": 2089 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63990000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6399bb00" } ], "repeated": 0, "id": 2090 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2091 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2092 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2093 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365493000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2094 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365494000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2095 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P0Ie\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf00Ie\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x101Ie\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$2Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0082Ie\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@2Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`2Ie\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h2Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x882Ie\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@1Ie\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc61Ie\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc1Ie\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 2096 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2097 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P0Ie\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf00Ie\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x101Ie\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$2Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0082Ie\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@2Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`2Ie\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h2Ie\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x882Ie\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@1Ie\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc61Ie\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc1Ie\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 2098 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36547f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2099 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2100 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004a4" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 2101 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004a4" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004a8" } ], "repeated": 0, "id": 2102 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2103 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 2104 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a4" } ], "repeated": 0, "id": 2105 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xbe\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xe4)\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "10724" } ], "repeated": 0, "id": 2106 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000004ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x2a3655083d0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "11168" }, { "name": "ProcessId", "value": "10720" }, { "name": "Module", "value": "shcore.dll" } ], "repeated": 0, "id": 2107 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000004ac", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x2a3655083d0" }, { "name": "CreationFlags", "value": "0x00000004" }, { "name": "ThreadId", "value": "11168" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 2108 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtResumeThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000004ac" }, { "name": "SuspendCount", "value": "1" }, { "name": "ThreadId", "value": "11168" }, { "name": "ProcessId", "value": "10720" } ], "repeated": 0, "id": 2109 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ac" } ], "repeated": 0, "id": 2110 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 2111 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80022b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2112 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2113 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x2a365507ef0" } ], "repeated": 0, "id": 2114 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2115 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2116 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 2117 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc775dda8f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 2118 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2119 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2120 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2121 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2122 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36547b000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2123 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004b4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 2124 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2125 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2126 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2127 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2128 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000004b8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 2129 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2130 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11156", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2131 }, { "timestamp": "2026-05-28 22:02:13,979", "thread_id": "11168", "caller": "0x7ffc3212bafb", "parentcaller": "0x7ffc3212b4af", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x56f000105000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2132 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3ed80022c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2133 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}" }, { "name": "Handle", "value": "0x000004be" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}" } ], "repeated": 0, "id": 2134 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004be" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004c2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2135 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2136 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004c2" } ], "repeated": 0, "id": 2137 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004be" } ], "repeated": 0, "id": 2138 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2139 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2140 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0005d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2141 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2142 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc775c53d0" }, { "name": "Parameter", "value": "0x2a3655083d0" } ], "repeated": 0, "id": 2143 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 2144 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xb3\\xce\t\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 2145 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xc5\\xcf\t\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 2146 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2147 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 2148 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xa0+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11168" } ], "repeated": 0, "id": 2149 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc639c9613", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004a8" } ], "repeated": 0, "id": 2150 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc639c96fd", "parentcaller": "0x7ffc639c962b", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xf8\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xb8\\x00\\x00\\x00\\xa0\\x0cIe\\xa3\\x02\\x00\\x00k\\x02ru\\xfc\\x7f\\x00\\x00C\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2151 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc639c9675", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004a8" } ], "repeated": 0, "id": 2152 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc639bd259", "parentcaller": "0x7ffc639b8bdd", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "38142214-ED63-4965-9214-1BBC06E130E9" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "8E1BBBB9-B3D5-430D-B276-D0E7454CAAB2" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2153 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" }, { "name": "BaseAddress", "value": "0x7ffc6ff20000" } ], "repeated": 0, "id": 2154 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc6399907d", "parentcaller": "0x7ffc639bd2af", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D648FEA1-EA00-4FF4-B8BD-034BD2B25A23" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "1D868537-EEA2-4C03-BB99-8A58862F7A59" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2155 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2156 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc66790000" } ], "repeated": 0, "id": 2157 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2158 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc60f5a000" }, { "name": "ModuleName", "value": "wpnapps.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2159 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 2160 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2161 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11156", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2162 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 1, "id": 2163 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00056000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2164 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00I\\xea\t\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 2165 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2166 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "4994" } ], "repeated": 0, "id": 2167 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" }, { "name": "BaseAddress", "value": "0x7ffc66790000" } ], "repeated": 0, "id": 2168 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc6ff7c45c", "parentcaller": "0x7ffc639990c9", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "6B3B8D23-FA8D-40B9-8DBD-B950333E2C52" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2169 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2170 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2171 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}" }, { "name": "Handle", "value": "0x000004d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}" } ], "repeated": 0, "id": 2172 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004d2" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004d6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2173 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2174 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d6" } ], "repeated": 0, "id": 2175 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 2176 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" }, { "name": "Handle", "value": "0x000004d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" } ], "repeated": 0, "id": 2177 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2178 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2179 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xcf\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00P\\xd0\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2180 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs" } ], "repeated": 0, "id": 2181 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2182 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs" } ], "repeated": 0, "id": 2183 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2184 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d2" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2185 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)" } ], "repeated": 0, "id": 2186 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "ExecModelProxy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)" } ], "repeated": 0, "id": 2187 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004d2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000004d6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32" } ], "repeated": 0, "id": 2188 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 2189 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 2190 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc75704aa9", "parentcaller": "0x7ffc756e31c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\execmodelproxy.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 2191 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 2192 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d6" } ], "repeated": 0, "id": 2193 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2194 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2195 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xcd\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xe0\\xce\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2196 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32" } ], "repeated": 0, "id": 2197 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2198 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32" } ], "repeated": 0, "id": 2199 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2200 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2201 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xcd\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xe0\\xce\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2202 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler" } ], "repeated": 0, "id": 2203 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2204 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler" } ], "repeated": 0, "id": 2205 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 2206 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2207 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2208 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" }, { "name": "Handle", "value": "0x000004d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" } ], "repeated": 0, "id": 2209 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2210 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2211 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xcc\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x10\\xcd\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2212 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs" } ], "repeated": 0, "id": 2213 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2214 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs" } ], "repeated": 0, "id": 2215 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2216 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d2" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2217 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)" } ], "repeated": 0, "id": 2218 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "ExecModelProxy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)" } ], "repeated": 0, "id": 2219 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004d2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000004da" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32" } ], "repeated": 0, "id": 2220 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004da" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\InprocServer32" } ], "repeated": 0, "id": 2221 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)" } ], "repeated": 0, "id": 2222 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc75704aa9", "parentcaller": "0x7ffc756e31c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%systemroot%\\system32\\execmodelproxy.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)" } ], "repeated": 1, "id": 2223 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\ThreadingModel" } ], "repeated": 0, "id": 2224 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" } ], "repeated": 0, "id": 2225 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2226 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2227 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xca\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xa0\\xcb\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2228 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32" } ], "repeated": 0, "id": 2229 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2230 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32" } ], "repeated": 0, "id": 2231 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2232 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2233 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xca\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xa0\\xcb\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2234 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler" } ], "repeated": 0, "id": 2235 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2236 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler" } ], "repeated": 0, "id": 2237 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004d2" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\LocalServer32" } ], "repeated": 0, "id": 2238 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d2" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\AppID" } ], "repeated": 0, "id": 2239 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2240 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2241 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc9\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xe0\\xca\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2242 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\LocalServer" } ], "repeated": 0, "id": 2243 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2244 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004d2" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\LocalServer" } ], "repeated": 0, "id": 2245 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" }, { "name": "Handle", "value": "0x000004da" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" } ], "repeated": 0, "id": 2246 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004da" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\Elevation" } ], "repeated": 0, "id": 2247 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004da" } ], "repeated": 0, "id": 2248 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 2249 }, { "timestamp": "2026-05-28 22:02:13,994", "thread_id": "11168", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" }, { "name": "Handle", "value": "0x000004d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}" } ], "repeated": 0, "id": 2250 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004d2" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs" } ], "repeated": 0, "id": 2251 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d2" } ], "repeated": 0, "id": 2252 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2253 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2254 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\execmodelproxy" }, { "name": "DllBase", "value": "0x7ffc614e0000" } ], "repeated": 0, "id": 2255 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\execmodelproxy.dll" }, { "name": "BaseAddress", "value": "0x7ffc614e0000" } ], "repeated": 0, "id": 2256 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc614e0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\execmodelproxy.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 2257 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "execmodelproxy.dll" }, { "name": "ModuleHandle", "value": "0x7ffc614e0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc614e1910" } ], "repeated": 0, "id": 2258 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "execmodelproxy.dll" }, { "name": "ModuleHandle", "value": "0x7ffc614e0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 2259 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "execmodelproxy.dll" }, { "name": "ModuleHandle", "value": "0x7ffc614e0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc614e1950" } ], "repeated": 0, "id": 2260 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc639a6dcd", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 2261 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc639a6eeb", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 2262 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc63999876", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 2263 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc639998bc", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004d8" } ], "repeated": 0, "id": 2264 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc63999910", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xf8\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2265 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc63999ae9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 2266 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc63999af9", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 2267 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc639996c2", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 2268 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004d8" } ], "repeated": 0, "id": 2269 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2270 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xb0bIe\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00PcIe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00pcIe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x84dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98dIe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xa0dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0dIe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xc8dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8dIe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xa0cIe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00&dIe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00,dIe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 2271 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 2272 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc639997e7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 2273 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc639bd2e7", "parentcaller": "0x7ffc639b8bdd", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "53067330-01CE-4027-947F-FF8580E92463" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "D54E68C2-54CD-48B3-AD9A-3F4A4503BA80" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2274 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2275 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2276 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 2277 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "policymanager.dll" } ], "repeated": 0, "id": 2278 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" } ], "repeated": 0, "id": 2279 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802fa80", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2280 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802fa80", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004d0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\policymanager.dll" } ], "repeated": 0, "id": 2281 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fce0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a1000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2282 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2283 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2284 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2285 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2286 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2287 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2288 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654a7000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2289 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654a8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2290 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "msvcp110_win.dll" } ], "repeated": 0, "id": 2291 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 2292 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 2293 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msvcp110_win.dll" } ], "repeated": 0, "id": 2294 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" } ], "repeated": 0, "id": 2295 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802f7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004d0" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2296 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802f7b0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004d0" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msvcp110_win.dll" } ], "repeated": 0, "id": 2297 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74740000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0008a000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2298 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2299 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2300 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2301 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2302 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2303 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d8" } ], "repeated": 0, "id": 2304 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d0" } ], "repeated": 0, "id": 2305 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd58000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2306 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017fe1", "parentcaller": "0x7ffc78017bdd", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2307 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc7478d000" }, { "name": "ModuleName", "value": "msvcp110_win.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2308 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\msvcp110_win" }, { "name": "DllBase", "value": "0x7ffc74740000" } ], "repeated": 0, "id": 2309 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\policymanager" }, { "name": "DllBase", "value": "0x7ffc6fce0000" } ], "repeated": 0, "id": 2310 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365509000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2311 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365515000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2312 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msvcp110_win" }, { "name": "BaseAddress", "value": "0x7ffc74740000" }, { "name": "InitRoutine", "value": "0x7ffc74785870" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2313 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\policymanager" }, { "name": "BaseAddress", "value": "0x7ffc6fce0000" }, { "name": "InitRoutine", "value": "0x7ffc6fce9ed0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2314 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2315 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2316 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2317 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2318 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps" }, { "name": "Handle", "value": "0x000004dc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps" } ], "repeated": 0, "id": 2319 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\PolicyType" } ], "repeated": 0, "id": 2320 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Behavior" } ], "repeated": 0, "id": 2321 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\MergeAlgorithm" } ], "repeated": 0, "id": 2322 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2323 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2324 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2325 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2326 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fd7e000" }, { "name": "ModuleName", "value": "policymanager.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2327 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground_UserInControlOfTheseApps" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2328 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2329 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2330 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyismultisz" } ], "repeated": 0, "id": 2331 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2332 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataUser" } ], "repeated": 0, "id": 2333 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2334 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2335 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\30Value" } ], "repeated": 0, "id": 2336 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7ca8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Value" } ], "repeated": 0, "id": 2337 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2338 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce5c61", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2339 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce5d7c", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2340 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps" }, { "name": "Handle", "value": "0x000004dc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps" } ], "repeated": 0, "id": 2341 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\PolicyType" } ], "repeated": 0, "id": 2342 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Behavior" } ], "repeated": 0, "id": 2343 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\MergeAlgorithm" } ], "repeated": 0, "id": 2344 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2345 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2346 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2347 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground_ForceAllowTheseApps" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2348 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2349 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2350 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyismultisz" } ], "repeated": 0, "id": 2351 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2352 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataUser" } ], "repeated": 0, "id": 2353 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2354 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2355 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\30Value" } ], "repeated": 0, "id": 2356 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7ca8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Value" } ], "repeated": 0, "id": 2357 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2358 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce5c61", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2359 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce5d7c", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2360 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps" }, { "name": "Handle", "value": "0x000004dc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps" } ], "repeated": 0, "id": 2361 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\PolicyType" } ], "repeated": 0, "id": 2362 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Behavior" } ], "repeated": 0, "id": 2363 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\MergeAlgorithm" } ], "repeated": 0, "id": 2364 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2365 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2366 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2367 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground_ForceDenyTheseApps" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2368 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2369 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2370 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyismultisz" } ], "repeated": 0, "id": 2371 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2372 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataUser" } ], "repeated": 0, "id": 2373 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2374 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2375 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\30Value" } ], "repeated": 0, "id": 2376 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7ca8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Value" } ], "repeated": 0, "id": 2377 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2378 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce5c61", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2379 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce5d7c", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2380 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground" }, { "name": "Handle", "value": "0x000004dc" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground" } ], "repeated": 0, "id": 2381 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\PolicyType" } ], "repeated": 0, "id": 2382 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Behavior" } ], "repeated": 0, "id": 2383 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\MergeAlgorithm" } ], "repeated": 0, "id": 2384 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2385 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2386 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname" } ], "repeated": 0, "id": 2387 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname" } ], "repeated": 0, "id": 2388 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath" } ], "repeated": 0, "id": 2389 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath" } ], "repeated": 0, "id": 2390 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyismultisz" } ], "repeated": 0, "id": 2391 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2392 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataUser" } ], "repeated": 0, "id": 2393 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2394 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2395 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\30Value" } ], "repeated": 0, "id": 2396 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce7b73", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Value" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Value" } ], "repeated": 0, "id": 2397 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2398 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce6e85", "parentcaller": "0x7ffc6fce6097", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2399 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc6fce6d68", "parentcaller": "0x7ffc6fce6097", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2400 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.User" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User" } ], "repeated": 0, "id": 2401 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00J\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00U\\x00s\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\xfffc\\x7f\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00x\\xffb7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffed\\x1f\\xfff9\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\x03Ie\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff9e\\xff92\\xffb3*\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00PCIe\\xffa3\\x02\\x00\\x00x\\xffb7He\\xffa3\\x02\\x00\\x00P\\xffb7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffd0\\x03Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb7He\\xffa3\\x02\\x00\\x00\\xffd0\\x03Ie\\xffa3\\x02\\x00\\x00PCIe\\xffa3\\x02\\x00\\x00\\x00\\xff9aJe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00PCIe\\xffa3\\x02\\x00\\x000\\x08Ie\\xffa3\\x02\\x00\\x000\\x08Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\x03Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x08Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\x03Ie\\xffa3\\x02\\x00\\x00\\x00\\xff9aJe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffee\\x1f\\xfff9\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\x0bIe\\xffa3\\x02\\x00\\x00P\\xffb7He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2402 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivationType" } ], "repeated": 0, "id": 2403 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Server" } ], "repeated": 0, "id": 2404 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\DllPath" } ], "repeated": 0, "id": 2405 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Threading" } ], "repeated": 0, "id": 2406 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\TrustLevel" } ], "repeated": 0, "id": 2407 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004dc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\CustomAttributes" } ], "repeated": 0, "id": 2408 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\RemoteServer" } ], "repeated": 0, "id": 2409 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateAsUser" } ], "repeated": 0, "id": 2410 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2411 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2412 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Permissions" } ], "repeated": 0, "id": 2413 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2414 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77bc74a2", "parentcaller": "0x7ffc77bc67e6", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004e0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000374" }, { "name": "ObjectAttributesName", "value": "Server" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server" } ], "repeated": 0, "id": 2415 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004e4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x000004e0" }, { "name": "ObjectAttributesName", "value": "StateRepository" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository" } ], "repeated": 0, "id": 2416 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004e4" }, { "name": "KeyInformation", "value": "\\xffcek|\\xffd3\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00\\x00\\x00di\\xffe6f\\xffa3\\x02\\x00\\x00\\xff90\\xffc7\\xffe43\\xfffc\\x7f\\x00\\x00\\xffa2t\\xffbcw\\xfffc\\x7f\\x00\\x00\\xffd9L\\xffb53\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff88\\xffbb9\\xfffa\\x02;\\x00\\x00x\\xffbcHe\\xffa3\\x02\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\x00C8\\xfffc\\x7f\\x00\\x00\\x18\\xffe9\\x1f\\xfff9\\xffb8\\x00\\x00\\x00\\x18\\xffbc9\\xfffa\\x02;\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffecFIe\\xffa3\\x02\\x00\\x00\\x08OCe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x01\\x02\\x00\\x00\\x00\\x00\\x00 DIe\\xffa3\\x02\\x00\\x00`\\xffe9\\x1f\\xfff9\\xffb8\\x00\\x00\\x00\\xffe4I\\xffb73\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00t\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xffb9\\x00C8\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff9d\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00\\xffb8\\xffcf\\xffd93\\xfffc\\x7f\\x00\\x00 DIe\\xffa3\\x02\\x00\\x00\\xfff8\\xff81\\xffd93\\xfffc\\x7f\\x00\\x00\\x19\\x01\\x02\\x00\\xffa3\\x02\\x00\\x00h\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00t\\x03\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd0\\xffd93\\xfffc\\x7f\\x00\\x00P\\xffe9\\x1f\\xfff9\\xffb8\\x00\\x00\\x00\\xff98\\xff85\\xffd93\\xfffc\\x7f\\x00\\x00`\\xffe9\\x1f\\xfff9\\xffb8\\x00\\x00\\x000hHe\\xffa3\\x02\\x00\\x00\\xffb0t\\xffbcw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00`\\xffeb\\x1f\\xfff9\\xffb8\\x00\\x00\\x00 DIe\\xffa3\\x02\\x00\\x00\\x10BIe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x0e\\x00\\x00\\x00\\x00\\x00LhHe\\xffa3\\x02\\x00\\x000\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00t\\x03\\x00\\x00\\x00\\x00\\x00\\x00P\\xffe9\\x1f\\xfff9\\xffb8\\x00\\x00\\x00@\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10DIe\\xffa3\\x02\\x00\\x00\\x19h\\xffbcw\\xfffc\\x7f\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2417 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654aa000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2418 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ExePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath" } ], "repeated": 0, "id": 2419 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "CommandLine" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine" } ], "repeated": 0, "id": 2420 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "IdentityType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType" } ], "repeated": 0, "id": 2421 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Type", "value": "0x7ffc00000003" }, { "name": "DataLength", "value": "184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 2422 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Data", "value": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions" } ], "repeated": 0, "id": 2423 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c49d80", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ActivatableClasses" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses" } ], "repeated": 0, "id": 2424 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ServerType" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType" } ], "repeated": 0, "id": 2425 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "AppId" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId" } ], "repeated": 0, "id": 2426 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "Identity" }, { "name": "Data", "value": "nt authority\\system" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity" } ], "repeated": 0, "id": 2427 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ServiceName" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName" } ], "repeated": 0, "id": 2428 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ExplicitPsmActivationType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType" } ], "repeated": 0, "id": 2429 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004e4" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes" } ], "repeated": 0, "id": 2430 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" } ], "repeated": 0, "id": 2431 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2432 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365499000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2433 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2434 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{84103CCB-2FD7-4D6C-962E-5D8582B4C720}" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{84103CCB-2FD7-4D6C-962E-5D8582B4C720}" } ], "repeated": 0, "id": 2435 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004de" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004e6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2436 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2437 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" } ], "repeated": 0, "id": 2438 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 2439 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 2440 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2441 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2442 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xc5\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00 \\xc6\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2443 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 2444 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2445 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004de" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 2446 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2447 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2448 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 2449 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 2450 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004de" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000004e6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 2451 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 2452 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 2453 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 2454 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 2455 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" } ], "repeated": 0, "id": 2456 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2457 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2458 }, { "timestamp": "2026-05-28 22:02:14,010", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc3\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xb0\\xc4\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2459 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 2460 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2461 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004de" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 2462 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2463 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2464 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc3\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xb0\\xc4\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2465 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 2466 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2467 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004de" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 2468 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 2469 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2470 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2471 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 2472 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2473 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2474 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc1\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xe0\\xc2\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2475 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 2476 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2477 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004de" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 2478 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2479 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2480 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 2481 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)" } ], "repeated": 0, "id": 2482 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004de" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000004e6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32" } ], "repeated": 0, "id": 2483 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 2484 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 2485 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 2486 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 2487 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" } ], "repeated": 0, "id": 2488 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2489 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2490 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xc0\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00p\\xc1\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2491 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 2492 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2493 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004de" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32" } ], "repeated": 0, "id": 2494 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2495 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2496 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xc0\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00p\\xc1\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2497 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 2498 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2499 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004de" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler" } ], "repeated": 0, "id": 2500 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004de" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32" } ], "repeated": 0, "id": 2501 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID" } ], "repeated": 0, "id": 2502 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 2503 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2504 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xbf\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xde\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xb0\\xc0\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2505 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 2506 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004de" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2507 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000004de" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer" } ], "repeated": 0, "id": 2508 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000004e6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 2509 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004e6" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation" } ], "repeated": 0, "id": 2510 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" } ], "repeated": 0, "id": 2511 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 2512 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}" } ], "repeated": 0, "id": 2513 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004de" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs" } ], "repeated": 0, "id": 2514 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 2515 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2516 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2517 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS" }, { "name": "DllBase", "value": "0x7ffc665a0000" } ], "repeated": 0, "id": 2518 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll" }, { "name": "BaseAddress", "value": "0x7ffc665a0000" } ], "repeated": 0, "id": 2519 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc665a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 2520 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ffc665a0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc665a7340" } ], "repeated": 0, "id": 2521 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ffc665a0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 2522 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.StateRepositoryPS.dll" }, { "name": "ModuleHandle", "value": "0x7ffc665a0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc665a7380" } ], "repeated": 0, "id": 2523 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2524 }, { "timestamp": "2026-05-28 22:02:14,025", "thread_id": "11168", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2525 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{5232F8EA-49C7-4840-BFBB-66E785689E88}" }, { "name": "Handle", "value": "0x000004e6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{5232F8EA-49C7-4840-BFBB-66E785689E88}" } ], "repeated": 0, "id": 2526 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004e6" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004ea" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2527 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ea" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2528 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ea" } ], "repeated": 0, "id": 2529 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" } ], "repeated": 0, "id": 2530 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2531 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2532 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004e4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.Package" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package" } ], "repeated": 0, "id": 2533 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004e4" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00P\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00P\\x00a\\x00c\\x00k\\x00a\\x00g\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffb3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffed\\x1f\\xfff9\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffb0\\x04Ie\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff9e\\xff92\\xffb3*\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0BIe\\xffa3\\x02\\x00\\x00\\xfff8\\xffb3He\\xffa3\\x02\\x00\\x00\\xffd0\\xffb3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffb0\\x04Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffb3He\\xffa3\\x02\\x00\\x00\\xffb0\\x04Ie\\xffa3\\x02\\x00\\x00\\xffd0BIe\\xffa3\\x02\\x00\\x00\\xffa0\\xff90Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0BIe\\xffa3\\x02\\x00\\x00`\nIe\\xffa3\\x02\\x00\\x00`\nIe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\x04Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\nIe\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffb0\\x04Ie\\xffa3\\x02\\x00\\x00\\xffa0\\xff90Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffee\\x1f\\xfff9\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x0bIe\\xffa3\\x02\\x00\\x00\\xffd0\\xffb3He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2534 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType" } ], "repeated": 0, "id": 2535 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server" } ], "repeated": 0, "id": 2536 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath" } ], "repeated": 0, "id": 2537 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading" } ], "repeated": 0, "id": 2538 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel" } ], "repeated": 0, "id": 2539 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004e4" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\CustomAttributes" } ], "repeated": 0, "id": 2540 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer" } ], "repeated": 0, "id": 2541 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser" } ], "repeated": 0, "id": 2542 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2543 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2544 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions" } ], "repeated": 0, "id": 2545 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004e4" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2546 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" } ], "repeated": 0, "id": 2547 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2548 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{0450CE77-AF0D-40AC-93FD-1E5D48C89419}" }, { "name": "Handle", "value": "0x000004e6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{0450CE77-AF0D-40AC-93FD-1E5D48C89419}" } ], "repeated": 0, "id": 2549 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004e6" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004ea" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2550 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ea" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2551 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ea" } ], "repeated": 0, "id": 2552 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" } ], "repeated": 0, "id": 2553 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2554 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2555 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{195F5943-0C04-4EAB-B907-735817FDAC77}" }, { "name": "Handle", "value": "0x000004e6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{195F5943-0C04-4EAB-B907-735817FDAC77}" } ], "repeated": 0, "id": 2556 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004e6" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004ea" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2557 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ea" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2558 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ea" } ], "repeated": 0, "id": 2559 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e6" } ], "repeated": 0, "id": 2560 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2561 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2562 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 2563 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "capauthz.dll" } ], "repeated": 0, "id": 2564 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\capauthz.dll" } ], "repeated": 0, "id": 2565 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802fa80", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004e4" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\capauthz.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2566 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802fa80", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004e8" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004e4" }, { "name": "FileName", "value": "C:\\Windows\\System32\\capauthz.dll" } ], "repeated": 0, "id": 2567 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004e8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db50000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00051000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2568 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db9a000" }, { "name": "ModuleName", "value": "capauthz.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2569 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db88000" }, { "name": "ModuleName", "value": "capauthz.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2570 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db88000" }, { "name": "ModuleName", "value": "capauthz.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2571 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db88000" }, { "name": "ModuleName", "value": "capauthz.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2572 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db88000" }, { "name": "ModuleName", "value": "capauthz.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2573 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db88000" }, { "name": "ModuleName", "value": "capauthz.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2574 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004ec" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "WINTRUST.dll" } ], "repeated": 0, "id": 2575 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004ec" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75ee0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00067000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2576 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdfee4", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f43000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2577 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f2a000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2578 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f2a000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2579 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f2a000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2580 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f2a000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2581 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f2a000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2582 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe4485", "parentcaller": "0x7ffc77fe88a8", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004ec" } ], "repeated": 0, "id": 2583 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e8" } ], "repeated": 0, "id": 2584 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802fa80", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e4" } ], "repeated": 0, "id": 2585 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f2a000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2586 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6db88000" }, { "name": "ModuleName", "value": "capauthz.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2587 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\WINTRUST" }, { "name": "DllBase", "value": "0x7ffc75ee0000" } ], "repeated": 0, "id": 2588 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 2589 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\capauthz" }, { "name": "DllBase", "value": "0x7ffc6db50000" } ], "repeated": 0, "id": 2590 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365516000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2591 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756ded78", "parentcaller": "0x7ffc7572cf77", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004e8" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 2592 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756ded78", "parentcaller": "0x7ffc7572cf77", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004f0" }, { "name": "MutexName", "value": "" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 2593 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f43000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2594 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f43000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2595 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7808e53f", "parentcaller": "0x7ffc77fefaf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 2596 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe5157", "parentcaller": "0x7ffc77fe43ea", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "MSASN1.dll" } ], "repeated": 0, "id": 2597 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\MSASN1.dll" } ], "repeated": 0, "id": 2598 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802f37b", "parentcaller": "0x7ffc7802f207", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\msasn1.dll" } ], "repeated": 0, "id": 2599 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fc9c", "parentcaller": "0x7ffc7802f7b0", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000004fc" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msasn1.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 2600 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fcfe", "parentcaller": "0x7ffc7802f7b0", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000500" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000004fc" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msasn1.dll" } ], "repeated": 0, "id": 2601 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe4d42", "parentcaller": "0x7ffc77fe4aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000500" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc751b0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2602 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdffb5", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc751ba000" }, { "name": "ModuleName", "value": "MSASN1.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2603 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fdffed", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc751ba000" }, { "name": "ModuleName", "value": "MSASN1.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2604 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe0068", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc751ba000" }, { "name": "ModuleName", "value": "MSASN1.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2605 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe009c", "parentcaller": "0x7ffc77fdfad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc751ba000" }, { "name": "ModuleName", "value": "MSASN1.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2606 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77fe5082", "parentcaller": "0x7ffc77fe79d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc751ba000" }, { "name": "ModuleName", "value": "MSASN1.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2607 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fd68", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 2608 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7802fd71", "parentcaller": "0x7ffc7802f7b0", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004fc" } ], "repeated": 0, "id": 2609 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc751ba000" }, { "name": "ModuleName", "value": "MSASN1.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2610 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017bac", "parentcaller": "0x7ffc7800288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSASN1" }, { "name": "DllBase", "value": "0x7ffc751b0000" } ], "repeated": 0, "id": 2611 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\msasn1" }, { "name": "BaseAddress", "value": "0x7ffc751b0000" }, { "name": "InitRoutine", "value": "0x7ffc751b5860" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2612 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f43000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2613 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75f43000" }, { "name": "ModuleName", "value": "WINTRUST.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2614 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc751b57f9", "parentcaller": "0x7ffc751b56a6", "category": "registry", "api": "RegOpenKeyExA", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1" } ], "repeated": 0, "id": 2615 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc751b57f9", "parentcaller": "0x7ffc751b56a6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wintrust" }, { "name": "BaseAddress", "value": "0x7ffc75ee0000" }, { "name": "InitRoutine", "value": "0x7ffc75ef1670" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2616 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7803c2c7", "parentcaller": "0x7ffc7803c05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\capauthz" }, { "name": "BaseAddress", "value": "0x7ffc6db50000" }, { "name": "InitRoutine", "value": "0x7ffc6db82fd0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 2617 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2618 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc639ef000" }, { "name": "ModuleName", "value": "execmodelclient.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2619 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db568cd", "parentcaller": "0x7ffc6db54292", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SecurityManager\\CapAuthz" }, { "name": "Handle", "value": "0x00000500" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz" } ], "repeated": 0, "id": 2620 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db56915", "parentcaller": "0x7ffc6db54292", "category": "registry", "api": "RegCreateKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x0000000e", "pretty_value": "KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS" }, { "name": "Handle", "value": "0x00000504" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2621 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db5695a", "parentcaller": "0x7ffc6db54292", "category": "registry", "api": "RegCreateKeyExW", "status": false, "return": "0x000003fd", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired\\VolatileChildTest" }, { "name": "Class", "value": "" }, { "name": "Access", "value": "0x00000002", "pretty_value": "KEY_SET_VALUE" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired\\VolatileChildTest" }, { "name": "Disposition", "value": "2", "pretty_value": "REG_OPENED_EXISTING_KEY" } ], "repeated": 0, "id": 2622 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db56b50", "parentcaller": "0x7ffc6db54292", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 2623 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db56b7a", "parentcaller": "0x7ffc6db54292", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 2624 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db56ec9", "parentcaller": "0x7ffc6db5b441", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SecurityManager\\CapDBRedirect" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapDBRedirect" } ], "repeated": 0, "id": 2625 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db5b576", "parentcaller": "0x7ffc6db542f2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000504" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 2626 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "AppPackageType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType" } ], "repeated": 0, "id": 2627 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "AppPackageType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType" } ], "repeated": 0, "id": 2628 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "PackageSid" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid" } ], "repeated": 0, "id": 2629 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "PackageSid" }, { "name": "Data", "value": "S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid" } ], "repeated": 0, "id": 2630 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "CapSids" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids" } ], "repeated": 0, "id": 2631 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "CapSids" }, { "name": "Data", "value": "\\x03\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x93MhQ\\x18=\\xc3\\xa6(\\x927f\\xc7\\xb1\\xfd\\x1eb\\x11\\xb0\\x8dT\\xad@A8\\xb7l\\xebv\\xc0V\\xd6\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xdc\\xdc\\xc7+\\x1b\\x84\\xfb\\x17\\x8c\\xfd\\xd5\\x99\\x9fj\\xa1T\\xc3\t\\x1a\\xfbT\\xa8\\x98\\xa2\\x98\\xef\\x9b\r\\xe1=\\xaa!\\x01\\x08\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00x2g \\xe6bZ\\x10\\xa8\\xb7\\xb5\\x84\\?L\\xd4\\xd1\\xbf\\xe8\\xedX\\x857\\xd3\\xa8\\x18)\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids" } ], "repeated": 0, "id": 2632 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "ApplicationFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags" } ], "repeated": 0, "id": 2633 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "ApplicationFlags" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags" } ], "repeated": 0, "id": 2634 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db5bca8", "parentcaller": "0x7ffc6db542f2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000002" } ], "repeated": 0, "id": 2635 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db5bcde", "parentcaller": "0x7ffc6db542f2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 2636 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc63999bfa", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000504" } ], "repeated": 0, "id": 2637 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc63999c3b", "parentcaller": "0x7ffc639bd3e7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf9\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x002\\x00\\xd0\\x04\\x00\\x12P\\x00\\xdd\\x8b\\x9bc+\\x00\\x00\\x10t\\x00c\\x07\\x10\\xfa\\x1f\\xf9\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 2638 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc63999cb3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 2639 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a365517000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2640 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps" }, { "name": "Handle", "value": "0x00000114" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps" } ], "repeated": 0, "id": 2641 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\PolicyType" } ], "repeated": 0, "id": 2642 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Behavior" } ], "repeated": 0, "id": 2643 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\MergeAlgorithm" } ], "repeated": 0, "id": 2644 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2645 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2646 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2647 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground_UserInControlOfTheseApps" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2648 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2649 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2650 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyismultisz" } ], "repeated": 0, "id": 2651 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2652 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataUser" } ], "repeated": 0, "id": 2653 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2654 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2655 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\30Value" } ], "repeated": 0, "id": 2656 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7ca8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Value" } ], "repeated": 0, "id": 2657 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 2658 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce5c61", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2659 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce5d7c", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2660 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps" }, { "name": "Handle", "value": "0x00000114" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps" } ], "repeated": 0, "id": 2661 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\PolicyType" } ], "repeated": 0, "id": 2662 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Behavior" } ], "repeated": 0, "id": 2663 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\MergeAlgorithm" } ], "repeated": 0, "id": 2664 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2665 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2666 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2667 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground_ForceAllowTheseApps" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2668 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2669 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2670 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyismultisz" } ], "repeated": 0, "id": 2671 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2672 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataUser" } ], "repeated": 0, "id": 2673 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2674 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2675 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\30Value" } ], "repeated": 0, "id": 2676 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7ca8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Value" } ], "repeated": 0, "id": 2677 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 2678 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce5c61", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2679 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce5d7c", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2680 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps" }, { "name": "Handle", "value": "0x00000114" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps" } ], "repeated": 0, "id": 2681 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\PolicyType" } ], "repeated": 0, "id": 2682 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Behavior" } ], "repeated": 0, "id": 2683 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\MergeAlgorithm" } ], "repeated": 0, "id": 2684 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2685 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2686 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2687 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground_ForceDenyTheseApps" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname" } ], "repeated": 0, "id": 2688 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2689 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath" } ], "repeated": 0, "id": 2690 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyismultisz" } ], "repeated": 0, "id": 2691 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2692 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataUser" } ], "repeated": 0, "id": 2693 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2694 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2695 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\30Value" } ], "repeated": 0, "id": 2696 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7ca8", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Value" } ], "repeated": 0, "id": 2697 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce5a59", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 2698 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce5c61", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2699 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce5d7c", "parentcaller": "0x7ffc6fce5ac0", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2700 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce71e2", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground" }, { "name": "Handle", "value": "0x00000114" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground" } ], "repeated": 0, "id": 2701 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce723c", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "PolicyType" }, { "name": "Data", "value": "4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\PolicyType" } ], "repeated": 0, "id": 2702 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce72a8", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Behavior" }, { "name": "Data", "value": "139296" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Behavior" } ], "repeated": 0, "id": 2703 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce732c", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "MergeAlgorithm" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\MergeAlgorithm" } ], "repeated": 0, "id": 2704 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce739f", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirectMapped" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirectMapped" } ], "repeated": 0, "id": 2705 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7402", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "RegKeyPathRedirect" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirect" } ], "repeated": 0, "id": 2706 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce755e", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname" } ], "repeated": 0, "id": 2707 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce75df", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyname" }, { "name": "Data", "value": "LetAppsRunInBackground" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname" } ], "repeated": 0, "id": 2708 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7647", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath" } ], "repeated": 0, "id": 2709 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce776a", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicypath" }, { "name": "Data", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath" } ], "repeated": 0, "id": 2710 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce77f6", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicyismultisz" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyismultisz" } ], "repeated": 0, "id": 2711 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7836", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "grouppolicymultiszSeparatorChar" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicymultiszSeparatorChar" } ], "repeated": 0, "id": 2712 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce78f6", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataUser" } ], "repeated": 0, "id": 2713 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce79b1", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataDevice" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataDevice" } ], "repeated": 0, "id": 2714 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7a6c", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ADMXMetadataBoth" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataBoth" } ], "repeated": 0, "id": 2715 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6fcedb1b", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "30Value" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\30Value" } ], "repeated": 0, "id": 2716 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce7b73", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "Value" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Value" } ], "repeated": 0, "id": 2717 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce76a9", "parentcaller": "0x7ffc6fce6abb", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 2718 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce6e85", "parentcaller": "0x7ffc6fce6097", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } ], "repeated": 0, "id": 2719 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6fce6d68", "parentcaller": "0x7ffc6fce6097", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy" } ], "repeated": 0, "id": 2720 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db56ec9", "parentcaller": "0x7ffc6db5b441", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SecurityManager\\CapDBRedirect" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapDBRedirect" } ], "repeated": 0, "id": 2721 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc6db5b576", "parentcaller": "0x7ffc6db542f2", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" }, { "name": "Handle", "value": "0x00000114" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } ], "repeated": 0, "id": 2722 }, { "timestamp": "2026-05-28 22:02:14,041", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "AppPackageType" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType" } ], "repeated": 0, "id": 2723 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "AppPackageType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType" } ], "repeated": 0, "id": 2724 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "PackageSid" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid" } ], "repeated": 0, "id": 2725 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "PackageSid" }, { "name": "Data", "value": "S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid" } ], "repeated": 0, "id": 2726 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "CapSids" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids" } ], "repeated": 0, "id": 2727 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "CapSids" }, { "name": "Data", "value": "\\x03\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x93MhQ\\x18=\\xc3\\xa6(\\x927f\\xc7\\xb1\\xfd\\x1eb\\x11\\xb0\\x8dT\\xad@A8\\xb7l\\xebv\\xc0V\\xd6\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xdc\\xdc\\xc7+\\x1b\\x84\\xfb\\x17\\x8c\\xfd\\xd5\\x99\\x9fj\\xa1T\\xc3\t\\x1a\\xfbT\\xa8\\x98\\xa2\\x98\\xef\\x9b\r\\xe1=\\xaa!\\x01\\x08\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00x2g \\xe6bZ\\x10\\xa8\\xb7\\xb5\\x84\\?L\\xd4\\xd1\\xbf\\xe8\\xedX\\x857\\xd3\\xa8\\x18)\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids" } ], "repeated": 0, "id": 2728 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58f48", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ApplicationFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags" } ], "repeated": 0, "id": 2729 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc6db58fc0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" }, { "name": "ValueName", "value": "ApplicationFlags" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags" } ], "repeated": 0, "id": 2730 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc6db5bca8", "parentcaller": "0x7ffc6db542f2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x80000002" } ], "repeated": 0, "id": 2731 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc6db5bcde", "parentcaller": "0x7ffc6db542f2", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000114" } ], "repeated": 0, "id": 2732 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756c26e8", "parentcaller": "0x7ffc756c132e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x10\\xf6\\x1f\\xf9\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00g\\xe6\tj\\x01\\x00\\x00\\x00r\\xf3n<:\\xf5O\\xa5\\x7fR\\x0eQ" } ], "repeated": 0, "id": 2733 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756edf8a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 2734 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc756edf8a", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc77fd0000", "arguments": [ { "name": "lpLibFileName", "value": "ntdll.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 2735 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc756edfa1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlIsStateSeparationEnabled" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78048560" } ], "repeated": 0, "id": 2736 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 2737 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc757646a3", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE" } ], "repeated": 0, "id": 2738 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e3b20", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 2739 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2740 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000504" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Appx" } ], "repeated": 0, "id": 2741 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756edb13", "parentcaller": "0x7ffc756eda55", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 2742 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756edb13", "parentcaller": "0x7ffc756eda55", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "Data", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 2743 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756ed70a", "parentcaller": "0x7ffc756c8db6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 2744 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 2745 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 2746 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000504" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Appx" } ], "repeated": 0, "id": 2747 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756edb13", "parentcaller": "0x7ffc756eda55", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 2748 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756edb13", "parentcaller": "0x7ffc756eda55", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "Data", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 2749 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756ed70a", "parentcaller": "0x7ffc756c8db6", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 2750 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654ad000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2751 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000504" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\S-1-5-21-3968686040-3210279463-847977608-1001.pckgdep" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2752 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756c3d26", "parentcaller": "0x7ffc756c3354", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d4" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000504" }, { "name": "FileName", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\S-1-5-21-3968686040-3210279463-847977608-1001.pckgdep" } ], "repeated": 0, "id": 2753 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756c3d37", "parentcaller": "0x7ffc756c3354", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 2754 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756c3d8e", "parentcaller": "0x7ffc756c3354", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000004d4" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36ae60000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2755 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756c3395", "parentcaller": "0x7ffc756c3f0a", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36ae60000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 2756 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc756c341d", "parentcaller": "0x7ffc756c3f0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" } ], "repeated": 0, "id": 2757 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00113000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2758 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Background.BackgroundTaskRegistration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration" } ], "repeated": 0, "id": 2759 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004d4" }, { "name": "KeyInformation", "value": "[\\xff9a\\xffe5\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00|\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00B\\x00a\\x00c\\x00k\\x00g\\x00r\\x00o\\x00u\\x00n\\x00d\\x00.\\x00B\\x00a\\x00c\\x00k\\x00g\\x00r\\x00o\\x00u\\x00n\\x00d\\x00T\\x00a\\x00s\\x00k\\x00R\\x00e\\x00g\\x00i\\x00s\\x00t\\x00r\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffd2\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffb0\\x1eIe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff9e\\xffb7>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00PGIe\\xffa3\\x02\\x00\\x00\\xfff8\\xffb9He\\xffa3\\x02\\x00\\x00\\xffd0\\xffb9He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffb0\\x1eIe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffb9He\\xffa3\\x02\\x00\\x00\\xffb0\\x1eIe\\xffa3\\x02\\x00\\x00PGIe\\xffa3\\x02\\x00\\x00\\xff90\\xff91Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00PGIe\\xffa3\\x02\\x00\\x00 \\x05Ie\\xffa3\\x02\\x00\\x00 \\x05Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\x1eIe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x05Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffb0\\x1eIe\\xffa3\\x02\\x00\\x00\\xff90\\xff91Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffd3\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\x0cIe\\xffa3\\x02\\x00\\x00\\xffd0\\xffb9He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2760 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivationType" } ], "repeated": 0, "id": 2761 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Server" } ], "repeated": 0, "id": 2762 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\biwinrt.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\DllPath" } ], "repeated": 0, "id": 2763 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Threading" } ], "repeated": 0, "id": 2764 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\TrustLevel" } ], "repeated": 0, "id": 2765 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004d4" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\CustomAttributes" } ], "repeated": 0, "id": 2766 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\RemoteServer" } ], "repeated": 0, "id": 2767 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateAsUser" } ], "repeated": 0, "id": 2768 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2769 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2770 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Permissions" } ], "repeated": 0, "id": 2771 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004d4" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2772 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004d4" } ], "repeated": 0, "id": 2773 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\biwinrt" }, { "name": "DllBase", "value": "0x7ffc5b720000" } ], "repeated": 0, "id": 2774 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11168", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xa0+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11168" } ], "repeated": 0, "id": 2775 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\biwinrt.dll" }, { "name": "BaseAddress", "value": "0x7ffc5b720000" } ], "repeated": 0, "id": 2776 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc5b720000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\biwinrt.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 2777 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "biwinrt.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b720000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b73bbc0" } ], "repeated": 0, "id": 2778 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "biwinrt.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b720000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b72dd30" } ], "repeated": 0, "id": 2779 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "biwinrt.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b720000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b72ee10" } ], "repeated": 0, "id": 2780 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00151000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2781 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00-\\xec\t\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00x\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 2782 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Background.BackgroundWorkManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager" } ], "repeated": 0, "id": 2783 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000518" }, { "name": "KeyInformation", "value": "[\\xff9a\\xffe5\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00r\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00B\\x00a\\x00c\\x00k\\x00g\\x00r\\x00o\\x00u\\x00n\\x00d\\x00.\\x00B\\x00a\\x00c\\x00k\\x00g\\x00r\\x00o\\x00u\\x00n\\x00d\\x00W\\x00o\\x00r\\x00k\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\xffe7w\\xfffc\\x7f\\x00\\x00x\\xffb3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffd5\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00p\\x13Ie\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff9e\\xffaa>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0GIe\\xffa3\\x02\\x00\\x00x\\xffb3He\\xffa3\\x02\\x00\\x00P\\xffb3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00p\\x13Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb3He\\xffa3\\x02\\x00\\x00p\\x13Ie\\xffa3\\x02\\x00\\x00\\xffd0GIe\\xffa3\\x02\\x00\\x00`\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0GIe\\xffa3\\x02\\x00\\x000!Fe\\xffa3\\x02\\x00\\x000!Fe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x13Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000!Fe\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00p\\x13Ie\\xffa3\\x02\\x00\\x00`\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffd6\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90,Fe\\xffa3\\x02\\x00\\x00P\\xffb3He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2784 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivationType" } ], "repeated": 0, "id": 2785 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Server" } ], "repeated": 0, "id": 2786 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\biwinrt.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\DllPath" } ], "repeated": 0, "id": 2787 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Threading" } ], "repeated": 0, "id": 2788 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\TrustLevel" } ], "repeated": 0, "id": 2789 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000518" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\CustomAttributes" } ], "repeated": 0, "id": 2790 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\RemoteServer" } ], "repeated": 0, "id": 2791 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateAsUser" } ], "repeated": 0, "id": 2792 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2793 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2794 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Permissions" } ], "repeated": 0, "id": 2795 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000518" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2796 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 2797 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" } ], "repeated": 0, "id": 2798 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 2799 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 2800 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 2801 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 2802 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 2803 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}" }, { "name": "Handle", "value": "0x00000476" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}" } ], "repeated": 0, "id": 2804 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000476" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000051e" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2805 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2806 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051e" } ], "repeated": 0, "id": 2807 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 2808 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2809 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2810 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2811 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000474" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 2812 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000051c" } ], "repeated": 0, "id": 2813 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2814 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8\\x91Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2815 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0zHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xfc\\x7f\\x00\\x00\\x90\\x11\\xdbw\\xfc\\x7f\\x00\\x00X\\x11\\xdbw\\xfc\\x7f\\x00\\x00\\xe01Ie\\xa3\\x02\\x00\\x00\\xa0\\x10Ee\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd~\\x1e\\xde\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2816 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2817 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "X`He\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2818 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2819 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8pHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2820 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x08\\x88\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00h\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x008\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00X\\xdf\\xff\\xf8" } ], "repeated": 0, "id": 2821 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0pHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xdd\\xff\\xf8\\xb8\\x00\\x00\\x00\\x1c\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2822 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2823 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x18\\x94Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2824 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0qHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x002\\x001\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00C\\x00:\\x00\\\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00\\\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00b\\x00i\\x00w\\x00i\\x00n\\x00r\\x00t\\x00.\\x00" } ], "repeated": 0, "id": 2825 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2826 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "HaHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2827 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2828 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "XvHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2829 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa8\\x8d\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xc8\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xdb\\xff\\xf8" } ], "repeated": 0, "id": 2830 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PvHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd9\\xff\\xf8\\xb8\\x00\\x00\\x00\\x1c\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2831 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 2832 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 2833 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 2834 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}" }, { "name": "Handle", "value": "0x0000051a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}" } ], "repeated": 0, "id": 2835 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000051a" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000476" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2836 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2837 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000476" } ], "repeated": 0, "id": 2838 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051a" } ], "repeated": 0, "id": 2839 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2840 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2841 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2842 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000518" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 2843 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000474" } ], "repeated": 0, "id": 2844 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2845 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08\\x9aJe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\xc0\\xa3\\xdaw\\xfc\\x7f\\x00\\x00y\\x00s\\x00t\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\x00a\\x00s\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2846 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\tFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x002\\x001\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x008\\x006\\x000\\x004\\x000\\x00-\\x003\\x002\\x001\\x000\\x002\\x007\\x009\\x004\\x006\\x003\\x00-\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x00" } ], "repeated": 0, "id": 2847 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2848 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xa8gHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2849 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2850 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "x\rFe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2851 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00X\\x8b\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00 \\xde\\xef\\xf8\\xb8\\x00\\x00\\x00\\x18\\xde\\xef\\xf8\\xb8\\x00\\x00\\x00\\xe8\\xdd\\xef\\xf8\\xb8\\x00\\x00\\x00\\x08\\xde\\xef\\xf8" } ], "repeated": 0, "id": 2852 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\rFe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xdc\\xef\\xf8\\xb8\\x00\\x00\\x00t\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2853 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2854 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\x95Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2855 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "`\\x0fFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xfc\\x7f\\x00\\x00t\\x00e\\x00m\\x003\\x002\\x00\\\\x00e\\x00x\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00e\\x00l\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P[Ce" } ], "repeated": 0, "id": 2856 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2857 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "HjHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2858 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2859 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8zHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2860 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xf8\\x8c\\xc9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x80\\xda\\xef\\xf8\\xb8\\x00\\x00\\x00x\\xda\\xef\\xf8\\xb8\\x00\\x00\\x00H\\xda\\xef\\xf8\\xb8\\x00\\x00\\x00h\\xda\\xef\\xf8" } ], "repeated": 0, "id": 2861 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0zHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00h\\xd8\\xef\\xf8\\xb8\\x00\\x00\\x00t\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2862 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 2863 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000474" } ], "repeated": 0, "id": 2864 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fb11000" }, { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2865 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6fb11000" }, { "name": "ModuleName", "value": "OneCoreUAPCommonProxyStub.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2866 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000051c" } ], "repeated": 0, "id": 2867 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2868 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc770a7042", "parentcaller": "0x7ffc770a6fa4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2869 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Foundation.Collections.ValueSet" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet" } ], "repeated": 0, "id": 2870 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00N\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00F\\x00o\\x00u\\x00n\\x00d\\x00a\\x00t\\x00i\\x00o\\x00n\\x00.\\x00C\\x00o\\x00l\\x00l\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00s\\x00.\\x00V\\x00a\\x00l\\x00u\\x00e\\x00S\\x00e\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffb3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\xffe0\\xffff\\xfff8\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffe0\\x06Ie\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffee\\xffa6S+\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00\\xfff8\\xffb3He\\xffa3\\x02\\x00\\x00\\xffd0\\xffb3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffe0\\x06Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffb3He\\xffa3\\x02\\x00\\x00\\xffe0\\x06Ie\\xffa3\\x02\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00\\xffe0\\xff96Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00\\xff80\\x02Ie\\xffa3\\x02\\x00\\x00\\xff80\\x02Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\x06Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x02Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffe0\\x06Ie\\xffa3\\x02\\x00\\x00\\xffe0\\xff96Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\xffe1\\xffff\\xfff8\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\x05Ie\\xffa3\\x02\\x00\\x00\\xffd0\\xffb3He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2871 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivationType" } ], "repeated": 0, "id": 2872 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Server" } ], "repeated": 0, "id": 2873 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\DllPath" } ], "repeated": 0, "id": 2874 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Threading" } ], "repeated": 0, "id": 2875 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\TrustLevel" } ], "repeated": 0, "id": 2876 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004dc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\CustomAttributes" } ], "repeated": 0, "id": 2877 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\RemoteServer" } ], "repeated": 0, "id": 2878 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateAsUser" } ], "repeated": 0, "id": 2879 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2880 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2881 }, { "timestamp": "2026-05-28 22:02:14,057", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Permissions" } ], "repeated": 0, "id": 2882 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2883 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2884 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "BaseAddress", "value": "0x7ffc71ec0000" } ], "repeated": 0, "id": 2885 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc71ec0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 2886 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ffc71ec0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc71ec9590" } ], "repeated": 0, "id": 2887 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ffc71ec0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc71ec90f0" } ], "repeated": 0, "id": 2888 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "ModuleHandle", "value": "0x7ffc71ec0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc71ed47b0" } ], "repeated": 0, "id": 2889 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71ffd000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2890 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc71ffd000" }, { "name": "ModuleName", "value": "wintypes.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2891 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Storage.Streams.DataWriter" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter" } ], "repeated": 0, "id": 2892 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "KeyInformation", "value": "N\\xffc1\\xffec\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00D\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00S\\x00t\\x00r\\x00e\\x00a\\x00m\\x00s\\x00.\\x00D\\x00a\\x00t\\x00a\\x00W\\x00r\\x00i\\x00t\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\xfffc\\x7f\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00<\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00x\\xffbfHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffe0\\xffff\\xfff8\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00`\\x03Ie\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00>\\xffa6S+\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00x\\xffbfHe\\xffa3\\x02\\x00\\x00P\\xffbfHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00`\\x03Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffbfHe\\xffa3\\x02\\x00\\x00`\\x03Ie\\xffa3\\x02\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00\\xffe0\\xff96Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00P\\x07Ie\\xffa3\\x02\\x00\\x00P\\x07Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x03Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x07Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00`\\x03Ie\\xffa3\\x02\\x00\\x00\\xffe0\\xff96Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffe1\\xffff\\xfff8\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x04Ie\\xffa3\\x02\\x00\\x00P\\xffbfHe\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2893 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType" } ], "repeated": 0, "id": 2894 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server" } ], "repeated": 0, "id": 2895 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath" } ], "repeated": 0, "id": 2896 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading" } ], "repeated": 0, "id": 2897 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel" } ], "repeated": 0, "id": 2898 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004dc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\CustomAttributes" } ], "repeated": 0, "id": 2899 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer" } ], "repeated": 0, "id": 2900 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser" } ], "repeated": 0, "id": 2901 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2902 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2903 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions" } ], "repeated": 0, "id": 2904 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2905 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2906 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc71ee1f48", "parentcaller": "0x7ffc71ee26b1", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 2907 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b76f000" }, { "name": "ModuleName", "value": "biwinrt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2908 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b76f000" }, { "name": "ModuleName", "value": "biwinrt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2909 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Storage.Streams.DataReader" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader" } ], "repeated": 0, "id": 2910 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "KeyInformation", "value": "N\\xffc1\\xffec\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00D\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00S\\x00t\\x00r\\x00e\\x00a\\x00m\\x00s\\x00.\\x00D\\x00a\\x00t\\x00a\\x00R\\x00e\\x00a\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00x\\xffb4He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffdc\\xffff\\xfff8\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffa0(Fe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00~\\xffa2S+\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00x\\xffb4He\\xffa3\\x02\\x00\\x00P\\xffb4He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffa0(Fe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb4He\\xffa3\\x02\\x00\\x00\\xffa0(Fe\\xffa3\\x02\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00\\x00\\xff9aJe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x11Fe\\xffa3\\x02\\x00\\x00\\xffd0\nIe\\xffa3\\x02\\x00\\x00\\xffd0\nIe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0(Fe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\nIe\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffa0(Fe\\xffa3\\x02\\x00\\x00\\x00\\xff9aJe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\xffdd\\xffff\\xfff8\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\tIe\\xffa3\\x02\\x00\\x00P\\xffb4He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2911 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivationType" } ], "repeated": 0, "id": 2912 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Server" } ], "repeated": 0, "id": 2913 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\DllPath" } ], "repeated": 0, "id": 2914 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Threading" } ], "repeated": 0, "id": 2915 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\TrustLevel" } ], "repeated": 0, "id": 2916 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004dc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\CustomAttributes" } ], "repeated": 0, "id": 2917 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\RemoteServer" } ], "repeated": 0, "id": 2918 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateAsUser" } ], "repeated": 0, "id": 2919 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2920 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2921 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Permissions" } ], "repeated": 0, "id": 2922 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2923 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2924 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Foundation.PropertyValue" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue" } ], "repeated": 0, "id": 2925 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000004dc" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00@\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00F\\x00o\\x00u\\x00n\\x00d\\x00a\\x00t\\x00i\\x00o\\x00n\\x00.\\x00P\\x00r\\x00o\\x00p\\x00e\\x00r\\x00t\\x00y\\x00V\\x00a\\x00l\\x00u\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00x\\xffb4He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffdb\\xffff\\xfff8\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00PsHe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00N\\xffa1S+\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\x13Fe\\xffa3\\x02\\x00\\x00x\\xffb4He\\xffa3\\x02\\x00\\x00P\\xffb4He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00PsHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb4He\\xffa3\\x02\\x00\\x00PsHe\\xffa3\\x02\\x00\\x00\\xffd0\\x13Fe\\xffa3\\x02\\x00\\x00\\xffb0\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\x13Fe\\xffa3\\x02\\x00\\x00\\xff80\tIe\\xffa3\\x02\\x00\\x00\\xff80\tIe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00PsHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\tIe\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00PsHe\\xffa3\\x02\\x00\\x00\\xffb0\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffdc\\xffff\\xfff8\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\rIe\\xffa3\\x02\\x00\\x00P\\xffb4He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 2926 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivationType" } ], "repeated": 0, "id": 2927 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Server" } ], "repeated": 0, "id": 2928 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\DllPath" } ], "repeated": 0, "id": 2929 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Threading" } ], "repeated": 0, "id": 2930 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\TrustLevel" } ], "repeated": 0, "id": 2931 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000004dc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\CustomAttributes" } ], "repeated": 0, "id": 2932 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\RemoteServer" } ], "repeated": 0, "id": 2933 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateAsUser" } ], "repeated": 0, "id": 2934 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInSharedBroker" } ], "repeated": 0, "id": 2935 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 2936 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Permissions" } ], "repeated": 0, "id": 2937 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000004dc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateOnHostFlags" } ], "repeated": 0, "id": 2938 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2939 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36550a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2940 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 2, "id": 2941 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}" } ], "repeated": 0, "id": 2942 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004de" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000502" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2943 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000502" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2944 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000502" } ], "repeated": 0, "id": 2945 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 2946 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2947 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2948 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2949 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 2950 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000500" } ], "repeated": 0, "id": 2951 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2952 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\x95Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2953 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " }He\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\\\x00R\\x00E\\x00G\\x00I\\x00S\\x00T\\x00R\\x00Y\\x00\\\\x00" } ], "repeated": 0, "id": 2954 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2955 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "xgHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2956 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2957 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xd8}He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2958 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xc8\\x93\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xb0\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\xa8\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00x\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xd5\\xff\\xf8" } ], "repeated": 0, "id": 2959 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0}He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xd3\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2960 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2961 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\x97Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\xb0\\x01\\x00\\x02\\x00\\x00\\x00\\x13\\x00\r\\x04]\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x0c\\x02\\x00\\x00\\x00\\x01\\x00\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2962 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x7fHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x000\\x002\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x000\\x000\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2963 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2964 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "XfHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2965 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2966 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "x}He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2967 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00h\\x97\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x10\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\x08\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\xd8\\xd1\\xff\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xd1\\xff\\xf8" } ], "repeated": 0, "id": 2968 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p}He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xcf\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2969 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 2970 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 2, "id": 2971 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}" }, { "name": "Handle", "value": "0x00000502" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}" } ], "repeated": 0, "id": 2972 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000502" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}\\ProxyStubClsid32" } ], "repeated": 0, "id": 2973 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 2974 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 2975 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000502" } ], "repeated": 0, "id": 2976 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 2977 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 2978 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2979 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000500" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 2980 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004dc" } ], "repeated": 0, "id": 2981 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2982 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\x92Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2983 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "`yHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x85\\x95\n\\xa8\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2984 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2985 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "XiHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2986 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2987 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xb8|He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2988 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x08\\x88\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00h\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x008\\xdf\\xff\\xf8\\xb8\\x00\\x00\\x00X\\xdf\\xff\\xf8" } ], "repeated": 0, "id": 2989 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0|He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xdd\\xff\\xf8\\xb8\\x00\\x00\\x00\\xdc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2990 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2991 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xd8\\x92Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\xc0\\xa3\\xdaw\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2992 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0}He\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 2993 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2994 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xe8iHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 2995 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 2996 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18}He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 2997 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa8\\x8d\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xc8\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xdb\\xff\\xf8\\xb8\\x00\\x00\\x00\\xb8\\xdb\\xff\\xf8" } ], "repeated": 0, "id": 2998 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10}He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xb8\\xd9\\xff\\xf8\\xb8\\x00\\x00\\x00\\xdc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 2999 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 3000 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 1, "id": 3001 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}" } ], "repeated": 0, "id": 3002 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000004de" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000502" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}\\ProxyStubClsid32" } ], "repeated": 0, "id": 3003 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000502" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 3004 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000502" } ], "repeated": 0, "id": 3005 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 3006 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3007 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3008 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3009 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000004dc" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 3010 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000500" } ], "repeated": 0, "id": 3011 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3012 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88\\x97Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\xb0\\x01\\x00\\x02\\x00\\x00\\x00\\x13\\x00\r\\x04]\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x0c\\x02\\x00\\x00\\x00\\x01\\x00\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3013 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x00\\x7fHe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x000\\x002\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x008\\x004\\x007\\x009\\x007\\x007\\x006\\x000\\x008\\x00-\\x001\\x000\\x000\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3014 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3015 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "xjHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 3016 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3017 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X\\x7fHe\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 3018 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xc8\\x93\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xb0\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\xa8\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00x\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xd5\\xff\\xf8" } ], "repeated": 0, "id": 3019 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x7fHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xd3\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 3020 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3021 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x08\\x9aJe\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00`\\xdc4\\xc7\\xe1\\xaf\\x88\\xaf\\x05\\x1c\\x00\\x00\\xe0)\\x00\\x00\\xe1\\xaby&\\xd7J\\xeedLMEM0\\x00\\x00\\x00H\\xda\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3022 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80\rFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00uE\\xeeE\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x05\\x00\\x00\\x00\\x02\\x9c\\xb5z\\xd4\\xaf\\x80\\xd1l\\x05So\\x19\\xff\\xc9\\xbc\\x06\\x10\\x00\\x00\\xe0)\\x00\\x00\\xed\\x03\\x8d\\xfe\\x0eG\\xc6\\xba\\xa0\\x10Ee\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3023 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3024 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x08hHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 3025 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3026 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98~He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 3027 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00h\\x97\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x10\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\x08\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\xd8\\xd1\\xff\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xd1\\xff\\xf8" } ], "repeated": 0, "id": 3028 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90~He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xcf\\xff\\xf8\\xb8\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 3029 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3030 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 3031 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3032 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 3033 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}" }, { "name": "Handle", "value": "0x00000502" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}" } ], "repeated": 0, "id": 3034 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000502" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000004de" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}\\ProxyStubClsid32" } ], "repeated": 0, "id": 3035 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 3036 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004de" } ], "repeated": 0, "id": 3037 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000502" } ], "repeated": 0, "id": 3038 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3039 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3040 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3041 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000500" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 3042 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000004dc" } ], "repeated": 0, "id": 3043 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3044 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8\\x94Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\xb0\\x01\\x00\\x02\\x00\\x00\\x00\\x13\\x00\r\\x04]\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00+\\x10H`\\x02\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x0c\\x02\\x00\\x00\\x00\\x01\\x00\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3045 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x80\rFe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00uE\\xeeE\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x05\\x00\\x00\\x00\\x02\\x9c\\xb5z\\xd4\\xaf\\x80\\xd1l\\x05So\\x19\\xff\\xc9\\xbc\\x06\\x10\\x00\\x00\\xe0)\\x00\\x00\\xed\\x03\\x8d\\xfe\\x0eG\\xc6\\xba\\xa0\\x10Ee\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3046 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3047 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "hhHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 3048 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3049 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "X|He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 3050 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xc8\\x93\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xb0\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\xa8\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00x\\xd5\\xff\\xf8\\xb8\\x00\\x00\\x00\\x98\\xd5\\xff\\xf8" } ], "repeated": 0, "id": 3051 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P|He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x98\\xd3\\xff\\xf8\\xb8\\x00\\x00\\x00\\xdc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 3052 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "H\\xc5\n\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\t\\xc5\n\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3053 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\x95Je\\xa3\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3054 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0|He\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3055 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3056 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "HgHe\\xa3\\x02\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 3057 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3058 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x18}He\\xa3\\x02\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 3059 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00h\\x97\\xd9\\xfb\\x02;\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x10\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\x08\\xd2\\xff\\xf8\\xb8\\x00\\x00\\x00\\xd8\\xd1\\xff\\xf8\\xb8\\x00\\x00\\x00\\xf8\\xd1\\xff\\xf8" } ], "repeated": 0, "id": 3060 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10}He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xcf\\xff\\xf8\\xb8\\x00\\x00\\x00\\xdc\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 3061 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 3062 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3063 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654ae000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3064 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3065 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "WindowsGetStringRawBuffer" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77bc2340" } ], "repeated": 0, "id": 3066 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3067 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3068 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3069 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3070 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00108000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3071 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc000e7000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3072 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00160000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3073 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe8\\x00\\x00\\x00m\\x16\\x0b\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00h\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x07\\x00\\x00@\\x00\\x00\\x002\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "232" } ], "repeated": 0, "id": 3074 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1fa0f4b5", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00~\\x17\\x0b\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x7f\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 3075 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xd8\\x18\\x0b\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x7f\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 3076 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3077 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654af000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3078 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3079 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3080 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3081 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3082 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3083 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3084 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3085 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc77c38bd7", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000504" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 3086 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000504" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000500" } ], "repeated": 0, "id": 3087 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3088 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xb0bIe\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00PcIe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00pcIe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x84dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98dIe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xa0dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0dIe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xc8dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8dIe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xa0cIe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00&dIe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00,dIe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 3089 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 3090 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000504" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000500" } ], "repeated": 0, "id": 3091 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3092 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xb0bIe\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00PcIe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00pcIe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x84dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98dIe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xa0dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0dIe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xc8dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8dIe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xa0cIe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00&dIe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00,dIe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 3093 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 3094 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60e69183", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3095 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3096 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3097 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3098 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3099 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3100 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11136", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3101 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xbd%\\x0b\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 3102 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3103 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "4913" } ], "repeated": 0, "id": 3104 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3105 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11140", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c5b05", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x84+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11140" } ], "repeated": 0, "id": 3106 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11156", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3107 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11156", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77657000" }, { "name": "ModuleName", "value": "shcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3108 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 3109 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00o.\\x0b\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "128" } ], "repeated": 0, "id": 3110 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3111 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3112 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3113 }, { "timestamp": "2026-05-28 22:02:14,072", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3114 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11140", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000004dc" } ], "repeated": 0, "id": 3115 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654b0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3116 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654b1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3117 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 3118 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3119 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "4909" } ], "repeated": 0, "id": 3120 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3121 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11156", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3122 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654b2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3123 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654b3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3124 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Storage.ApplicationData" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData" } ], "repeated": 0, "id": 3125 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000520" }, { "name": "KeyInformation", "value": "N\\xffc1\\xffec\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00>\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00t\\x00o\\x00r\\x00a\\x00g\\x00e\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00D\\x00a\\x00t\\x00a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffcb\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xfff0xHe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x0e\\xffb1>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90FIe\\xffa3\\x02\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xfff0xHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00\\xfff0xHe\\xffa3\\x02\\x00\\x00\\xff90FIe\\xffa3\\x02\\x00\\x00P\\xff90Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90FIe\\xffa3\\x02\\x00\\x00\\x00\\x06Ie\\xffa3\\x02\\x00\\x00\\x00\\x06Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0xHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xfff0xHe\\xffa3\\x02\\x00\\x00P\\xff90Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffcc\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00Ie\\xffa3\\x02\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 3126 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivationType" } ], "repeated": 0, "id": 3127 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Server" } ], "repeated": 0, "id": 3128 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\Windows.Storage.ApplicationData.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\DllPath" } ], "repeated": 0, "id": 3129 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Threading" } ], "repeated": 0, "id": 3130 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\TrustLevel" } ], "repeated": 0, "id": 3131 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000520" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\CustomAttributes" } ], "repeated": 0, "id": 3132 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\RemoteServer" } ], "repeated": 0, "id": 3133 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateAsUser" } ], "repeated": 0, "id": 3134 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInSharedBroker" } ], "repeated": 0, "id": 3135 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 3136 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Permissions" } ], "repeated": 0, "id": 3137 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000520" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateOnHostFlags" } ], "repeated": 0, "id": 3138 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000520" } ], "repeated": 0, "id": 3139 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.Storage.ApplicationData" }, { "name": "DllBase", "value": "0x7ffc5b910000" } ], "repeated": 0, "id": 3140 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 3141 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.Storage.ApplicationData.dll" }, { "name": "BaseAddress", "value": "0x7ffc5b910000" } ], "repeated": 0, "id": 3142 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc5b910000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Windows.Storage.ApplicationData.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 3143 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b910000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b934340" } ], "repeated": 0, "id": 3144 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b910000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b9220a0" } ], "repeated": 0, "id": 3145 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b910000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b9240a0" } ], "repeated": 0, "id": 3146 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000518" } ], "repeated": 0, "id": 3147 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3148 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3149 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11136", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3150 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "11136", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3151 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": " \\xd5\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3152 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3153 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3154 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.Core.CoreApplication" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication" } ], "repeated": 0, "id": 3155 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000524" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00Z\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00C\\x00o\\x00r\\x00e\\x00.\\x00C\\x00o\\x00r\\x00e\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00\\x00\\x00\\xfffc\\x7f\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffb6He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffc9\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffbcHe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x1e\\xffbf>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10BIe\\xffa3\\x02\\x00\\x00\\xfff8\\xffb6He\\xffa3\\x02\\x00\\x00\\xffd0\\xffb6He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00P\\xffbcHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffb6He\\xffa3\\x02\\x00\\x00P\\xffbcHe\\xffa3\\x02\\x00\\x00\\x10BIe\\xffa3\\x02\\x00\\x00\\xffb0\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10BIe\\xffa3\\x02\\x00\\x00@\\x04Ie\\xffa3\\x02\\x00\\x00@\\x04Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffbcHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x04Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffbcHe\\xffa3\\x02\\x00\\x00\\xffb0\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffca\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x0bIe\\xffa3\\x02\\x00\\x00\\xffd0\\xffb6He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 3156 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType" } ], "repeated": 0, "id": 3157 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server" } ], "repeated": 0, "id": 3158 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\twinapi.appcore.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath" } ], "repeated": 0, "id": 3159 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading" } ], "repeated": 0, "id": 3160 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel" } ], "repeated": 0, "id": 3161 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000524" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\CustomAttributes" } ], "repeated": 0, "id": 3162 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer" } ], "repeated": 0, "id": 3163 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser" } ], "repeated": 0, "id": 3164 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker" } ], "repeated": 0, "id": 3165 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 3166 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions" } ], "repeated": 0, "id": 3167 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000524" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags" } ], "repeated": 0, "id": 3168 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000524" } ], "repeated": 0, "id": 3169 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 3170 }, { "timestamp": "2026-05-28 22:02:14,088", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 3171 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3172 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc6ff7f406", "parentcaller": "0x7ffc6ff40733", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3173 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc77c2dd9d", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000530" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Foundation.Collections.PropertySet" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet" } ], "repeated": 0, "id": 3174 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc77c2ddf7", "parentcaller": "0x7ffc77bc7428", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000530" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00T\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00F\\x00o\\x00u\\x00n\\x00d\\x00a\\x00t\\x00i\\x00o\\x00n\\x00.\\x00C\\x00o\\x00l\\x00l\\x00e\\x00c\\x00t\\x00i\\x00o\\x00n\\x00s\\x00.\\x00P\\x00r\\x00o\\x00p\\x00e\\x00r\\x00t\\x00y\\x00S\\x00e\\x00t\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffb7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xffef\\xffcf\\xfff8\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00n\\xff95c+\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0AIe\\xffa3\\x02\\x00\\x00\\xfff8\\xffb7He\\xffa3\\x02\\x00\\x00\\xffd0\\xffb7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffb7He\\xffa3\\x02\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00\\xffd0AIe\\xffa3\\x02\\x00\\x00\\xffb0\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0AIe\\xffa3\\x02\\x00\\x00\\xffa0!Fe\\xffa3\\x02\\x00\\x00\\xffa0!Fe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa0!Fe\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00\\xffb0\\xff94Je\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\xfff0\\xffcf\\xfff8\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0+Fe\\xffa3\\x02\\x00\\x00\\xffd0\\xffb7He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 3175 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType" } ], "repeated": 0, "id": 3176 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server" } ], "repeated": 0, "id": 3177 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c400bb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\WinTypes.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath" } ], "repeated": 0, "id": 3178 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading" } ], "repeated": 0, "id": 3179 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel" } ], "repeated": 0, "id": 3180 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc77b8c0fc", "parentcaller": "0x7ffc77c24170", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000530" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\CustomAttributes" } ], "repeated": 0, "id": 3181 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc77b87deb", "parentcaller": "0x7ffc77c38ff0", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer" } ], "repeated": 0, "id": 3182 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser" } ], "repeated": 0, "id": 3183 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker" } ], "repeated": 0, "id": 3184 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 3185 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c32222", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions" } ], "repeated": 0, "id": 3186 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77c29cb2", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags" } ], "repeated": 0, "id": 3187 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc77c27226", "parentcaller": "0x7ffc77c2ca23", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 3188 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc6ff491f4", "parentcaller": "0x7ffc6ff48d56", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3189 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc6ff4926f", "parentcaller": "0x7ffc6ff48d56", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xb0bIe\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00PcIe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00pcIe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x84dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98dIe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xa0dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0dIe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xc8dIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8dIe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xa0cIe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00&dIe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00,dIe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 3190 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6ff41c1b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 3191 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6ff41d43", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 3192 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6ff41dc0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 3193 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6ff43b54", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 3194 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\xe0\\x00\\x00\\x00(x\\x0b\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x00\\x00\\x00h\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\xdfy\\x1d\\x01\\x00\\x00\\x00\\xda\\x19\\xcbF\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "224" } ], "repeated": 0, "id": 3195 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc6ff6dff2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 3196 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756ded78", "parentcaller": "0x7ffc6ff41eea", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3197 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6ff5a9cc", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3198 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6ff42239", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3199 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6ff42239", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3200 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6ff42239", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3201 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc6ff42239", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3202 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6ff814d3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 3203 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6ff814d3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 3204 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756ddd5d", "parentcaller": "0x7ffc6ff857fb", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 3205 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6ff814d3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000530" } ], "repeated": 0, "id": 3206 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e3a9c", "parentcaller": "0x7ffc756e3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3207 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3208 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000534" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\XAML" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\XAML" } ], "repeated": 0, "id": 3209 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e2fe4", "parentcaller": "0x7ffc6ff8154d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000534" }, { "name": "ValueName", "value": "OneCoreTransformsEnabledByDefault" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault" } ], "repeated": 0, "id": 3210 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756e3018", "parentcaller": "0x7ffc6ff8154d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000534" } ], "repeated": 0, "id": 3211 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc77b9ea0e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 3212 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3213 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "11128", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3214 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3215 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "MutexName", "value": "Local\\SM0:10720:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3216 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3217 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3218 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3219 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3220 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3221 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 3222 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000538" } ], "repeated": 0, "id": 3223 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3224 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3225 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3226 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3227 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3228 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3229 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3230 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x00000504" } ], "repeated": 0, "id": 3231 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3232 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000504" } ], "repeated": 0, "id": 3233 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 3234 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000538" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER" }, { "name": "ObjectAttributes", "value": "HKEY_USERS" } ], "repeated": 0, "id": 3235 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 3236 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000538" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3237 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000053c" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000538" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\PSR" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\PSR" } ], "repeated": 0, "id": 3238 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "WnfStateName" }, { "name": "Data", "value": "\\xe5\\xd0\\xbd\\xa3mN\\xc6A" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\PSR\\WnfStateName" } ], "repeated": 0, "id": 3239 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 3240 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3241 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000538" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3242 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000053c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000538" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 3243 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Local AppData" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData" } ], "repeated": 0, "id": 3244 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" }, { "name": "ValueName", "value": "Local AppData" }, { "name": "Data", "value": "%USERPROFILE%\\AppData\\Local" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData" } ], "repeated": 0, "id": 3245 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3246 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3247 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 3248 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath" } ], "repeated": 0, "id": 3249 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Data", "value": "C:\\Users\\admin" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath" } ], "repeated": 0, "id": 3250 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 3251 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 3252 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3253 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3254 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 3255 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "windows.storage.dll" } ], "repeated": 0, "id": 3256 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 3257 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000053c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3258 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000053c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" } ], "repeated": 0, "id": 3259 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000540" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73790000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0079b000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3260 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00003000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3261 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3262 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3263 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3264 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da2000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3265 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da1000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3266 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "Wldp.dll" } ], "repeated": 0, "id": 3267 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 3268 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 3269 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\Wldp.dll" } ], "repeated": 0, "id": 3270 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 3271 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000053c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3272 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000540" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000053c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wldp.dll" } ], "repeated": 0, "id": 3273 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000540" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75020000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0002d000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3274 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75049000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3275 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3276 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3277 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3278 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3279 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3280 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000540" } ], "repeated": 0, "id": 3281 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000053c" } ], "repeated": 0, "id": 3282 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73da1000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3283 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "35" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x12\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4)\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xe9\\x92\\xf5\\xfa\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P*\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00T*\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X*\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\*\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8*\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc*\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04+\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c+\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3284 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75039000" }, { "name": "ModuleName", "value": "Wldp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3285 }, { "timestamp": "2026-05-28 22:02:14,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Wldp" }, { "name": "DllBase", "value": "0x7ffc75020000" } ], "repeated": 0, "id": 3286 }, { "timestamp": "2026-05-28 22:02:14,119", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\windows.storage" }, { "name": "DllBase", "value": "0x7ffc73790000" } ], "repeated": 0, "id": 3287 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-eventing-provider-l1-1-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 3288 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "EventSetInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012af0" } ], "repeated": 0, "id": 3289 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\wldp" }, { "name": "BaseAddress", "value": "0x7ffc75020000" }, { "name": "InitRoutine", "value": "0x7ffc75023200" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 3290 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" } ], "repeated": 0, "id": 3291 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "InitializeConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78039f40" } ], "repeated": 0, "id": 3292 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "SleepConditionVariableCS" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75723890" } ], "repeated": 0, "id": 3293 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffc756b0000" }, { "name": "FunctionName", "value": "WakeAllConditionVariable" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78025430" } ], "repeated": 0, "id": 3294 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3295 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3296 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 3297 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 3298 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\windows.storage" }, { "name": "BaseAddress", "value": "0x7ffc73790000" }, { "name": "InitRoutine", "value": "0x7ffc739492f0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 3299 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3300 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3301 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3302 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3303 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3304 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3305 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3306 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3307 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3308 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3309 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000578" }, { "name": "DesiredAccess", "value": "0x00000006" }, { "name": "ObjectAttributes", "value": "windows_shell_global_counters" } ], "repeated": 0, "id": 3310 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000578" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36ae60000" }, { "name": "SectionOffset", "value": "0xb8f792caa0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3311 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3312 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76722000" }, { "name": "ModuleName", "value": "SHLWAPI.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3313 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x0000057c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3314 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000057c" }, { "name": "ValueName", "value": "NoPropertiesMyComputer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer" } ], "repeated": 0, "id": 3315 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000057c" } ], "repeated": 0, "id": 3316 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3317 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000580" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3318 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "ValueName", "value": "NoPropertiesRecycleBin" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin" } ], "repeated": 0, "id": 3319 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3320 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3321 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3322 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3323 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 3324 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 3325 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 3326 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 3327 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 3328 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 3329 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 3330 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3331 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3332 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3333 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3334 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3335 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3336 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 3337 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 3338 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3339 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3340 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "MutexName", "value": "Local\\SM0:10720:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3341 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3342 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3343 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3344 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3345 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3346 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 3347 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 3348 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3349 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3350 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000580" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3351 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "ValueName", "value": "NoControlPanel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" } ], "repeated": 0, "id": 3352 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3353 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3354 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000580" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3355 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "ValueName", "value": "NoSetFolders" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders" } ], "repeated": 0, "id": 3356 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3357 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3358 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000580" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3359 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "ValueName", "value": "NoInternetIcon" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon" } ], "repeated": 0, "id": 3360 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3361 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3362 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\identity_helper.exe" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\identity_helper.exe" } ], "repeated": 0, "id": 3363 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3364 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3365 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000580" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 3366 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 3367 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3368 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3369 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3370 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000580" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace" } ], "repeated": 0, "id": 3371 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 3372 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3373 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3374 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3375 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000580" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3376 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000580" }, { "name": "ValueName", "value": "NoCommonGroups" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups" } ], "repeated": 0, "id": 3377 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000580" } ], "repeated": 0, "id": 3378 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" } ], "repeated": 0, "id": 3379 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3380 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3381 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3382 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3383 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "Handle", "value": "0x00000586" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 3384 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3385 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3386 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000586" }, { "name": "ValueName", "value": "Attributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes" } ], "repeated": 0, "id": 3387 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000586" }, { "name": "ValueName", "value": "CallForAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes" } ], "repeated": 0, "id": 3388 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000586" }, { "name": "ValueName", "value": "RestrictedAttributes" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes" } ], "repeated": 0, "id": 3389 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000586" }, { "name": "ValueName", "value": "FolderValueFlags" }, { "name": "Data", "value": "1581568" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags" } ], "repeated": 0, "id": 3390 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000586" } ], "repeated": 0, "id": 3391 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3392 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3393 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 3394 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder" } ], "repeated": 0, "id": 3395 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 3396 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" }, { "name": "Handle", "value": "0x00000584" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum" } ], "repeated": 0, "id": 3397 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000584" }, { "name": "ValueName", "value": "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}" } ], "repeated": 0, "id": 3398 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 3399 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3400 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3401 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000584" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 3402 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000584" }, { "name": "ValueName", "value": "ValidateRegItems" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems" } ], "repeated": 0, "id": 3403 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 3404 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3405 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3406 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000584" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace" } ], "repeated": 0, "id": 3407 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000584" }, { "name": "ValueName", "value": "MonitorRegistry" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry" } ], "repeated": 0, "id": 3408 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000584" } ], "repeated": 0, "id": 3409 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3410 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3411 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3412 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3413 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36549a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3414 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 3415 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlAreLongPathsEnabled" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78045280" } ], "repeated": 0, "id": 3416 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3417 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc5b972000" }, { "name": "ModuleName", "value": "Windows.Storage.ApplicationData.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3418 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3419 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76e57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3420 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 3421 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "Handle", "value": "0x00000588" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 3422 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000588" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 3423 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 3424 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 3425 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 3426 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 3427 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 3428 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654b6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3429 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 3430 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3431 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3432 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3433 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3434 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3435 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000590" } ], "repeated": 0, "id": 3436 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" } ], "repeated": 0, "id": 3437 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 3438 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000588" } ], "repeated": 0, "id": 3439 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000058c" } ], "repeated": 0, "id": 3440 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 3441 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 3442 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058c" } ], "repeated": 0, "id": 3443 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "Directory" }, { "name": "Handle", "value": "0x0000058e" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\Directory" } ], "repeated": 0, "id": 3444 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\Directory" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 3445 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000058e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 1, "id": 3446 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000058e" }, { "name": "ObjectAttributesName", "value": "ShellEx\\LibraryDescriptionHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\LibraryDescriptionHandler" } ], "repeated": 0, "id": 3447 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Classes\\Directory\\ShellEx\\LibraryDescriptionHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\LibraryDescriptionHandler" } ], "repeated": 0, "id": 3448 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "Folder" }, { "name": "Handle", "value": "0x00000592" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\Folder" } ], "repeated": 0, "id": 3449 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000592" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 3450 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000592" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3451 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xc4\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x92\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x80\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 3452 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\Folder\\ShellEx\\LibraryDescriptionHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\ShellEx\\LibraryDescriptionHandler" } ], "repeated": 0, "id": 3453 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000592" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3454 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000592" }, { "name": "ObjectAttributesName", "value": "ShellEx\\LibraryDescriptionHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\LibraryDescriptionHandler" } ], "repeated": 0, "id": 3455 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000000", "pretty_value": "HKEY_CLASSES_ROOT" }, { "name": "SubKey", "value": "AllFilesystemObjects" }, { "name": "Handle", "value": "0x00000596" }, { "name": "FullName", "value": "HKEY_CLASSES_ROOT\\AllFilesystemObjects" } ], "repeated": 0, "id": 3456 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000596" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 3457 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000596" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3458 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x80\\xc4\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x96\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x80\\xc5\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 3459 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\AllFilesystemObjects\\ShellEx\\LibraryDescriptionHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\LibraryDescriptionHandler" } ], "repeated": 0, "id": 3460 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000596" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3461 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000596" }, { "name": "ObjectAttributesName", "value": "ShellEx\\LibraryDescriptionHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\LibraryDescriptionHandler" } ], "repeated": 0, "id": 3462 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000058e" } ], "repeated": 0, "id": 3463 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000592" } ], "repeated": 0, "id": 3464 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000596" } ], "repeated": 0, "id": 3465 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x7ffc738a67d0" }, { "name": "EventName", "value": "Global\\WSearchMigPluginActive" } ], "repeated": 0, "id": 3466 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3467 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3468 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xbe\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xe4)\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "10724" } ], "repeated": 0, "id": 3469 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000594" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 3470 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 3471 }, { "timestamp": "2026-05-28 22:02:14,135", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3472 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mssprxy" }, { "name": "DllBase", "value": "0x7ffc65b50000" } ], "repeated": 0, "id": 3473 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mssprxy.dll" }, { "name": "BaseAddress", "value": "0x7ffc65b50000" } ], "repeated": 0, "id": 3474 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc73958e8e", "parentcaller": "0x7ffc7395f5f2", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "7D096C5F-AC08-4F1F-BEB7-5C22C517CE39" }, { "name": "ClsContext", "value": "0x00000017", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "riid", "value": "AB310581-AC80-11D1-8DF3-00C04FB6EF69" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3475 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3476 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}" }, { "name": "Handle", "value": "0x00000542" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}" } ], "repeated": 0, "id": 3477 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000542" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000546" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\\ProxyStubClsid32" } ], "repeated": 0, "id": 3478 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000546" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{A5EBA07A-DAE8-4d15-B12F-728EFD8A9866}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 3479 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000546" } ], "repeated": 0, "id": 3480 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000542" } ], "repeated": 0, "id": 3481 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3482 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3483 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654bc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3484 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}" }, { "name": "Handle", "value": "0x00000542" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}" } ], "repeated": 0, "id": 3485 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000542" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000546" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\\ProxyStubClsid32" } ], "repeated": 0, "id": 3486 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000546" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{A5EBA07A-DAE8-4d15-B12F-728EFD8A9866}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 3487 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000546" } ], "repeated": 0, "id": 3488 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000542" } ], "repeated": 0, "id": 3489 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654b9000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3490 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3491 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 3492 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3493 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3494 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3495 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3496 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3497 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3498 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3499 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3500 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" }, { "name": "BaseAddress", "value": "0x7ffc728f0000" } ], "repeated": 0, "id": 3501 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "76765B11-3F95-4AF2-AC9D-EA55D8994F1A" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3502 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3503 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3504 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1F486A52-3CB1-48FD-8F50-B8DC300D9F9D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "ECF31D61-E474-453C-BEE7-DE68E441C6D0" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3505 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36549e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3506 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 3507 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 3508 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 3509 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 3510 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000544" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 3511 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000544" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36ae70000" }, { "name": "SectionOffset", "value": "0xb8f792bc30" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3512 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000058c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db" } ], "repeated": 0, "id": 3513 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000058c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36ae80000" }, { "name": "SectionOffset", "value": "0xb8f792cb90" }, { "name": "ViewSize", "value": "0x00049000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3514 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3515 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3516 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 1, "id": 3517 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" } ], "repeated": 0, "id": 3518 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 3519 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 3520 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Local\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2" } ], "repeated": 0, "id": 3521 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000059c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro" } ], "repeated": 0, "id": 3522 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000059c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36aed0000" }, { "name": "SectionOffset", "value": "0xb8f792bce0" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3523 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a0" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" } ], "repeated": 0, "id": 3524 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005a0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36aee0000" }, { "name": "SectionOffset", "value": "0xb8f792cc40" }, { "name": "ViewSize", "value": "0x0009c000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3525 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\propsys.dll" } ], "repeated": 1, "id": 3526 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtQueryFullAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\propsys.dll" } ], "repeated": 0, "id": 3527 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3528 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f06000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3529 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3530 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36549f000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3531 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xc0\\xe9Ie\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00`\\xeaIe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xeaIe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x94\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xebIe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xb0\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xebIe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd8\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xebIe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xb0\\xeaIe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x006\\xebIe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00<\\xebIe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 3532 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3533 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xc0\\xe9Ie\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00`\\xeaIe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xeaIe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x94\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xebIe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xb0\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xebIe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd8\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xebIe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xb0\\xeaIe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x006\\xebIe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00<\\xebIe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 3534 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3535 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc73f05000" }, { "name": "ModuleName", "value": "windows.storage.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3536 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 3537 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00lHe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 3538 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000c" }, { "name": "TokenHandle", "value": "0x000005a4" } ], "repeated": 0, "id": 3539 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3540 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3541 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3542 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000538" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3543 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000538" }, { "name": "ObjectAttributesName", "value": "S-1-5-21-3968686040-3210279463-847977608-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" } ], "repeated": 0, "id": 3544 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "Local AppData" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData" } ], "repeated": 0, "id": 3545 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "Local AppData" }, { "name": "Data", "value": "%USERPROFILE%\\AppData\\Local" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData" } ], "repeated": 0, "id": 3546 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3547 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3548 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001" } ], "repeated": 0, "id": 3549 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath" } ], "repeated": 0, "id": 3550 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" }, { "name": "ValueName", "value": "ProfileImagePath" }, { "name": "Data", "value": "C:\\Users\\admin" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath" } ], "repeated": 0, "id": 3551 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a8" } ], "repeated": 0, "id": 3552 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3553 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3554 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3555 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Appx" } ], "repeated": 0, "id": 3556 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 3557 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "Data", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 3558 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3559 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 3560 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000114" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 3561 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000114" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Appx" } ], "repeated": 0, "id": 3562 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 3563 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" }, { "name": "ValueName", "value": "PackageRepositoryRoot" }, { "name": "Data", "value": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot" } ], "repeated": 0, "id": 3564 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3565 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654a1000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3566 }, { "timestamp": "2026-05-28 22:02:14,150", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc00000ba", "pretty_return": "FILE_IS_A_DIRECTORY", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 3567 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3568 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005a4" }, { "name": "IoControlCode", "value": "0x000900a8", "pretty_value": "FSCTL_GET_REPARSE_POINT" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "P\\xbd\\x92\\xf7\\xb8\\x00\\x00\\x00\\x80\\xbd\\x92\\xf7\\xb8\\x00\\x00\\x00\\x80\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\xba\\x00\\x00\\xc0\\xff\\xff\\xff\\xff\\xffh\\x17\\xbf\\x06\\x1a\\x00\\x00\\x08\\x82\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xd7He\\xa3\\x02\\x00\\x00\\xba\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P)Ke\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xbe\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfaknu\\xfc\\x7f\\x00\\x00C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xbe\\x92\\xf7\\xb8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00`\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xac\\x00\\xb0\\x00\\xb8\\x00\\x00\\x00\\xd0\\xd7He\\xa3\\x02\\x00\\x00\\xd5,\\xffw\\xfc\\x7f\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\xe9\\xbd\\x92\\xf7\\xb8\\x00\\x00\\x000\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xbd\\x92\\xf7\\xb8\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3569 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3570 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 3571 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3572 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 3573 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005a4" }, { "name": "IoControlCode", "value": "0x004d0008", "pretty_value": "IOCTL_MOUNTDEV_QUERY_DEVICE_NAME" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 3574 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3575 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3576 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005a4" }, { "name": "IoControlCode", "value": "0x000900a8", "pretty_value": "FSCTL_GET_REPARSE_POINT" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "" } ], "repeated": 0, "id": 3577 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3578 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc00000ba", "pretty_return": "FILE_IS_A_DIRECTORY", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 3579 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 3580 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005a4" }, { "name": "IoControlCode", "value": "0x000900a8", "pretty_value": "FSCTL_GET_REPARSE_POINT" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "P\\xbd\\x92\\xf7\\xb8\\x00\\x00\\x00\\x80\\xbd\\x92\\xf7\\xb8\\x00\\x00\\x00\\x80\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\xba\\x00\\x00\\xc0\\xff\\xff\\xff\\xff\\xffh\\x17\\xbf\\x06\\x1a\\x00\\x00\\x08\\x82\\xd93\\xfc\\x7f\\x00\\x00\\xd0\\xc1Ke\\xa3\\x02\\x00\\x00\\xba\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P)Ke\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xbe\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfaknu\\xfc\\x7f\\x00\\x00C\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xbe\\x92\\xf7\\xb8\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\x00V\\x00\\x00\\x00\\x00\\x00\\xd0\\xc1Ke\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xbd\\x92\\xf7\\xb8\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 3581 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3582 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 3583 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005a4" } ], "repeated": 0, "id": 3584 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005a4" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" } ], "repeated": 0, "id": 3585 }, { "timestamp": "2026-05-28 22:02:14,166", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005a4" }, { "name": "IoControlCode", "value": "0x004d0008", "pretty_value": "IOCTL_MOUNTDEV_QUERY_DEVICE_NAME" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\x00\\x00\\x8c[\\x00\\x00\\x00\\x00\\x00\\x00&Prod_HL-PQ-SV_WB8#4&35424867&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\" }, { "name": "VolumeName", "value": "\\\\?\\Volume{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" } ], "repeated": 0, "id": 4119 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc738f601a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4120 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000005cc" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4121 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005cc" }, { "name": "SubKey", "value": "{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" }, { "name": "Handle", "value": "0x000005c0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" } ], "repeated": 0, "id": 4122 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4123 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "Data" }, { "name": "Data", "value": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x80#\\x00\\x00\\x00\\x07\\x02H\\x01\\xfe\\x00\\x00\\x00\\x11\\x00\\x00\\x00x\\x00'\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00C\\x00S\\x00I\\x00#\\x00C\\x00d\\x00R\\x00o\\x00m\\x00&\\x00V\\x00e\\x00n\\x00_\\x00<\\x00W\\x00O\\x00O\\x00T\\x00>\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00H\\x00L\\x00-\\x00P\\x00Q\\x00-\\x00S\\x00V\\x00_\\x00W\\x00B\\x008\\x00#\\x004\\x00&\\x003\\x005\\x004\\x002\\x004\\x008\\x006\\x007\\x00&\\x000\\x00&\\x000\\x001\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Data" } ], "repeated": 0, "id": 4124 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f59ad", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 4125 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390f616", "parentcaller": "0x7ffc7390bf43", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000001", "pretty_value": "HKEY_CURRENT_USER" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" }, { "name": "Handle", "value": "0x000005c0" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume" } ], "repeated": 0, "id": 4126 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390bf7f", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005c0" }, { "name": "SubKey", "value": "{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" }, { "name": "Handle", "value": "0x000005cc" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" } ], "repeated": 0, "id": 4127 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390bfa7", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 4128 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc775cb76b", "parentcaller": "0x7ffc775cb5e2", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" }, { "name": "ValueName", "value": "Generation" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Generation" } ], "repeated": 0, "id": 4129 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7390bfeb", "parentcaller": "0x7ffc738f5a2d", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4130 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4131 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4132 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4133 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4134 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x001\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4135 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4136 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4137 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4138 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4139 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4140 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4141 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4142 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x003\\x000\\x000\\x003\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00C\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4143 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4144 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc7384956d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005cc" } ], "repeated": 0, "id": 4145 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc7384a4ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " CJe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4146 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc73849591", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4147 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4148 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x00c\\x000\\x00d\\x00d\\x000\\x00e\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4149 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4150 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4151 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x005\\x002\\x008\\x00c\\x001\\x000\\x002\\x00f\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x000\\x000\\x000\\x000\\x00-\\x00c\\x000\\x00d\\x00d\\x000\\x00e\\x000\\x000\\x000\\x000\\x000\\x000\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4152 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4153 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4154 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4155 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f620d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00D\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4156 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4157 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6579", "parentcaller": "0x7ffc756e5fe6", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000005cc" }, { "name": "DesiredAccess", "value": "0x00100080", "pretty_value": "FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\MountPointManager" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4158 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff54e", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": false, "return": "0x00000000", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00" } ], "repeated": 0, "id": 4159 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756ff6dd", "parentcaller": "0x7ffc738f626d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x000005cc" }, { "name": "IoControlCode", "value": "0x006d0034", "pretty_value": "IOCTL_MOUNTMGR_QUERY_DOS_VOLUME_PATHS" }, { "name": "InBuffer", "value": "`\\x00\\\\x00?\\x00?\\x00\\\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x00c\\x000\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutBuffer", "value": "\\x08\\x00\\x00\\x00D\\x00:\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4160 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ff55e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4161 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc7384956d", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005cc" } ], "repeated": 0, "id": 4162 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc7384a4ff", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " CJe\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4163 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc73849591", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4164 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11124", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc7391286f", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 4165 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000323-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000146-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4166 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" }, { "name": "Handle", "value": "0x000005b8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager" } ], "repeated": 0, "id": 4167 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryInfoKeyW", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005b8" }, { "name": "Class", "value": "" }, { "name": "SubKeyCount", "value": "0" }, { "name": "MaxSubKeyLength", "value": "0" }, { "name": "MaxClassLength", "value": "0" }, { "name": "ValueCount", "value": "0" }, { "name": "MaxValueNameLength", "value": "0" }, { "name": "MaxValueLength", "value": "0" } ], "repeated": 0, "id": 4168 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005b8" } ], "repeated": 0, "id": 4169 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.storage.dll" }, { "name": "BaseAddress", "value": "0x7ffc73790000" } ], "repeated": 0, "id": 4170 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "9AC9FBE1-E0A2-4AD6-B4EE-E212013EA917" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 4171 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00121000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4172 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "FindFirstFileExW", "status": false, "return": "0xffffffffffffffff", "arguments": [ { "name": "FileName", "value": "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\LocalState\\ToastCollectionIcons\\*" } ], "repeated": 0, "id": 4173 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11136", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000500" } ], "repeated": 0, "id": 4174 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 4175 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 4176 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc775b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 4177 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "shcore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc775b0000" }, { "name": "FunctionName", "value": "CommandLineToArgvW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc775ceb30" } ], "repeated": 0, "id": 4178 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000047c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.ApplicationModel.LimitedAccessFeatures" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures" } ], "repeated": 0, "id": 4179 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000047c" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00\\\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00L\\x00i\\x00m\\x00i\\x00t\\x00e\\x00d\\x00A\\x00c\\x00c\\x00e\\x00s\\x00s\\x00F\\x00e\\x00a\\x00t\\x00u\\x00r\\x00e\\x00s\\x00\\xffb8\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00x\\xffb8He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffc5\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffb2He\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffce\\xffba>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffd7Ke\\xffa3\\x02\\x00\\x00x\\xffb8He\\xffa3\\x02\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00P\\xffb2He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00P\\xffb2He\\xffa3\\x02\\x00\\x00\\x10\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xffd0\\xffe7Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xffc00Le\\xffa3\\x02\\x00\\x00\\xffc00Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffb2He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc00Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffb2He\\xffa3\\x02\\x00\\x00\\xffd0\\xffe7Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffc6\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0;Le\\xffa3\\x02\\x00\\x00P\\xffb8He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4180 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivationType" } ], "repeated": 0, "id": 4181 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Server" } ], "repeated": 0, "id": 4182 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\DllPath" } ], "repeated": 0, "id": 4183 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Threading" } ], "repeated": 0, "id": 4184 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\TrustLevel" } ], "repeated": 0, "id": 4185 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000047c" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\CustomAttributes" } ], "repeated": 0, "id": 4186 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\RemoteServer" } ], "repeated": 0, "id": 4187 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateAsUser" } ], "repeated": 0, "id": 4188 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4189 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4190 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Permissions" } ], "repeated": 0, "id": 4191 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000047c" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4192 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000047c" } ], "repeated": 0, "id": 4193 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Windows.ApplicationModel" }, { "name": "DllBase", "value": "0x7ffc63700000" } ], "repeated": 0, "id": 4194 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" }, { "name": "BaseAddress", "value": "0x7ffc63700000" } ], "repeated": 0, "id": 4195 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc63700000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 4196 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63700000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6370fa40" } ], "repeated": 0, "id": 4197 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63700000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6370e870" } ], "repeated": 0, "id": 4198 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "ModuleHandle", "value": "0x7ffc63700000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc6370f430" } ], "repeated": 0, "id": 4199 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4200 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4201 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4202 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4203 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US" } ], "repeated": 0, "id": 4204 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000047c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 4205 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005d0" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000047c" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\KernelBase.dll.mui" } ], "repeated": 0, "id": 4206 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005d0" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36e1e0000" }, { "name": "SectionOffset", "value": "0xb8f792a960" }, { "name": "ViewSize", "value": "0x00140000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4207 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 4208 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4209 }, { "timestamp": "2026-05-28 22:02:14,244", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4210 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001b0" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00M\\x00D\\x005\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffM\\x00D\\x005\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4211 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 4212 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc75fa0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 4213 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptprimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75fa0000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75fb4460" } ], "repeated": 0, "id": 4214 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "31" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xb9\\x92\\xf7\\xb8\\x00\\x00\\x008\\xb9\\x92\\xf7\\xb8\\x00\\x00\\x00\\xd0\\xb0He\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\xb8\\x00\\x00\\x00\\xb1&\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x94\\x1e\\xfc\\x7f\\x00\\x00x\\x97Ie\\xa3\\x02\\x00\\x00`\\xbf\\x92\\xf7" } ], "repeated": 0, "id": 4215 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 4216 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 4217 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 4218 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 4219 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 4220 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 4221 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 4222 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4223 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 4224 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4225 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4226 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4227 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4228 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 4229 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005cc" } ], "repeated": 0, "id": 4230 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 4231 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005d0" } ], "repeated": 0, "id": 4232 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures" }, { "name": "Handle", "value": "0x000005c0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures" } ], "repeated": 0, "id": 4233 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005c0" }, { "name": "SubKey", "value": "com.microsoft.windows.taskbar.requestPinSecondaryTile" }, { "name": "Handle", "value": "0x000005c8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile" } ], "repeated": 0, "id": 4234 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 4235 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\(Default)" } ], "repeated": 0, "id": 4236 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "04c19204-10d9-450a-95c4-2910c8f72be3" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\(Default)" } ], "repeated": 0, "id": 4237 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4238 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4239 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4240 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc637df000" }, { "name": "ModuleName", "value": "Windows.ApplicationModel.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4241 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c0" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Security.Cryptography.CryptographicBuffer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer" } ], "repeated": 0, "id": 4242 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c0" }, { "name": "KeyInformation", "value": "7_\\xffea\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00b\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00c\\x00u\\x00r\\x00i\\x00t\\x00y\\x00.\\x00C\\x00r\\x00y\\x00p\\x00t\\x00o\\x00g\\x00r\\x00a\\x00p\\x00h\\x00y\\x00.\\x00C\\x00r\\x00y\\x00p\\x00t\\x00o\\x00g\\x00r\\x00a\\x00p\\x00h\\x00i\\x00c\\x00B\\x00u\\x00f\\x00f\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffbf\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xff89Ke\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x0e\\xffc5>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00P\\xff89Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00P\\xff89Ke\\xffa3\\x02\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x00\\xffe0\\xffe6Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x0008Le\\xffa3\\x02\\x00\\x0008Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xff89Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0008Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xff89Ke\\xffa3\\x02\\x00\\x00\\xffe0\\xffe6Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc0\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc07Le\\xffa3\\x02\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4243 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivationType" } ], "repeated": 0, "id": 4244 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Server" } ], "repeated": 0, "id": 4245 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\CryptoWinRT.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\DllPath" } ], "repeated": 0, "id": 4246 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Threading" } ], "repeated": 0, "id": 4247 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\TrustLevel" } ], "repeated": 0, "id": 4248 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005c0" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\CustomAttributes" } ], "repeated": 0, "id": 4249 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\RemoteServer" } ], "repeated": 0, "id": 4250 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateAsUser" } ], "repeated": 0, "id": 4251 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4252 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4253 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Permissions" } ], "repeated": 0, "id": 4254 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c0" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4255 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c0" } ], "repeated": 0, "id": 4256 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CryptoWinRT" }, { "name": "DllBase", "value": "0x7ffc51a40000" } ], "repeated": 0, "id": 4257 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\CryptoWinRT.dll" }, { "name": "BaseAddress", "value": "0x7ffc51a40000" } ], "repeated": 0, "id": 4258 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc51a40000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\CryptoWinRT.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 4259 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "CryptoWinRT.dll" }, { "name": "ModuleHandle", "value": "0x7ffc51a40000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc51a4f560" } ], "repeated": 0, "id": 4260 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "CryptoWinRT.dll" }, { "name": "ModuleHandle", "value": "0x7ffc51a40000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc51a48590" } ], "repeated": 0, "id": 4261 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "CryptoWinRT.dll" }, { "name": "ModuleHandle", "value": "0x7ffc51a40000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc51a45cd0" } ], "repeated": 0, "id": 4262 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005bc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Security.Cryptography.Core.HashAlgorithmNames" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames" } ], "repeated": 0, "id": 4263 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005bc" }, { "name": "KeyInformation", "value": "7_\\xffea\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00j\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00c\\x00u\\x00r\\x00i\\x00t\\x00y\\x00.\\x00C\\x00r\\x00y\\x00p\\x00t\\x00o\\x00g\\x00r\\x00a\\x00p\\x00h\\x00y\\x00.\\x00C\\x00o\\x00r\\x00e\\x00.\\x00H\\x00a\\x00s\\x00h\\x00A\\x00l\\x00g\\x00o\\x00r\\x00i\\x00t\\x00h\\x00m\\x00N\\x00a\\x00m\\x00e\\x00s\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffb0He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffbf\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xfff0\\xff85Ke\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x1e\\xffc5>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x00\\xfff8\\xffb0He\\xffa3\\x02\\x00\\x00\\xffd0\\xffb0He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xfff0\\xff85Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffb0He\\xffa3\\x02\\x00\\x00\\xfff0\\xff85Ke\\xffa3\\x02\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x00\\x00\\xffe5Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x00\\xffe0=Le\\xffa3\\x02\\x00\\x00\\xffe0=Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\xff85Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0=Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xfff0\\xff85Ke\\xffa3\\x02\\x00\\x00\\x00\\xffe5Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffe0\\xffc0\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00`3Le\\xffa3\\x02\\x00\\x00\\xffd0\\xffb0He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4264 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivationType" } ], "repeated": 0, "id": 4265 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Server" } ], "repeated": 0, "id": 4266 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\CryptoWinRT.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\DllPath" } ], "repeated": 0, "id": 4267 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Threading" } ], "repeated": 0, "id": 4268 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\TrustLevel" } ], "repeated": 0, "id": 4269 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005bc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\CustomAttributes" } ], "repeated": 0, "id": 4270 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\RemoteServer" } ], "repeated": 0, "id": 4271 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateAsUser" } ], "repeated": 0, "id": 4272 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4273 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4274 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Permissions" } ], "repeated": 0, "id": 4275 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4276 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" } ], "repeated": 0, "id": 4277 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005bc" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Security.Cryptography.Core.HashAlgorithmProvider" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider" } ], "repeated": 0, "id": 4278 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005bc" }, { "name": "KeyInformation", "value": "7_\\xffea\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00p\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00e\\x00c\\x00u\\x00r\\x00i\\x00t\\x00y\\x00.\\x00C\\x00r\\x00y\\x00p\\x00t\\x00o\\x00g\\x00r\\x00a\\x00p\\x00h\\x00y\\x00.\\x00C\\x00o\\x00r\\x00e\\x00.\\x00H\\x00a\\x00s\\x00h\\x00A\\x00l\\x00g\\x00o\\x00r\\x00i\\x00t\\x00h\\x00m\\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffbf\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\xff8dKe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x0e\\xffc5>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffd0\\xff8dKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00\\xffd0\\xff8dKe\\xffa3\\x02\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x000\\xffe7Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd6Ke\\xffa3\\x02\\x00\\x00\\xff802Le\\xffa3\\x02\\x00\\x00\\xff802Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xff8dKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff802Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\xff8dKe\\xffa3\\x02\\x00\\x000\\xffe7Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc0\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc07Le\\xffa3\\x02\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4279 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivationType" } ], "repeated": 0, "id": 4280 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Server" } ], "repeated": 0, "id": 4281 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\CryptoWinRT.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\DllPath" } ], "repeated": 0, "id": 4282 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Threading" } ], "repeated": 0, "id": 4283 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\TrustLevel" } ], "repeated": 0, "id": 4284 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005bc" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\CustomAttributes" } ], "repeated": 0, "id": 4285 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\RemoteServer" } ], "repeated": 0, "id": 4286 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateAsUser" } ], "repeated": 0, "id": 4287 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4288 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4289 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Permissions" } ], "repeated": 0, "id": 4290 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005bc" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4291 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005bc" } ], "repeated": 0, "id": 4292 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001b0" }, { "name": "HandleName", "value": "\\Device\\KsecDD" }, { "name": "IoControlCode", "value": "0x00390400" }, { "name": "InputBuffer", "value": "M<+\\x1a\\x00\\x00\\x02\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00S\\x00H\\x00A\\x002\\x005\\x006\\x00\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "\\x01\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x002\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffS\\x00H\\x00A\\x002\\x005\\x006\\x00\\x00\\x00\\x00\\x00M\\x00i\\x00c\\x00r\\x00o\\x00s\\x00o\\x00f\\x00t\\x00 \\x00P\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00 \\x00P\\x00r\\x00o\\x00v\\x00i\\x00d\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00c\\x00r\\x00y\\x00p\\x00t\\x00p\\x00r\\x00i\\x00m\\x00i\\x00t\\x00i\\x00v\\x00e\\x00s\\x00.\\x00d\\x00l\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4293 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptprimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffc75fa0000" }, { "name": "FunctionName", "value": "GetHashInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc75fb4460" } ], "repeated": 0, "id": 4294 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "Expiration" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\Expiration" } ], "repeated": 0, "id": 4295 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 4296 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "ApplicationService:29e01dceeeda2acba75" } ], "repeated": 0, "id": 4297 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36e320000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4298 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36e320000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4299 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000005c8" } ], "repeated": 0, "id": 4300 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0%Je\\xa3\\x02\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4301 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 4302 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "ApplicationService:29e01dceeeda2acba75" } ], "repeated": 0, "id": 4303 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005bc" }, { "name": "DesiredAccess", "value": "0x000f0007", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_WRITE" }, { "name": "ObjectAttributes", "value": "ApplicationService:29e01dceeeda2acba75" }, { "name": "FileHandle", "value": "0x00000000" }, { "name": "FileName", "value": "" } ], "repeated": 0, "id": 4304 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000005bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36af80000" }, { "name": "SectionOffset", "value": "0xb8f792ca10" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4305 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36af80000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 4306 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.UI.StartScreen.SecondaryTile" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile" } ], "repeated": 0, "id": 4307 }, { "timestamp": "2026-05-28 22:02:14,260", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c8" }, { "name": "KeyInformation", "value": "N\\xffc1\\xffec\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00H\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00U\\x00I\\x00.\\x00S\\x00t\\x00a\\x00r\\x00t\\x00S\\x00c\\x00r\\x00e\\x00e\\x00n\\x00.\\x00S\\x00e\\x00c\\x00o\\x00n\\x00d\\x00a\\x00r\\x00y\\x00T\\x00i\\x00l\\x00e\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x006\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffc6\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff809Le\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00>\\xffbc>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xfff8\\xffbdHe\\xffa3\\x02\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff809Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffbdHe\\xffa3\\x02\\x00\\x00\\xff809Le\\xffa3\\x02\\x00\\x00\\xffd0\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xffd0\\xffe2Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffd7Ke\\xffa3\\x02\\x00\\x00 \\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00U\\x00I\\x00.\\x00S\\x00h\\x00e\\x00l\\x00l\\x00.\\x00T\\x00a\\x00s\\x00k\\x00b\\x00a\\x00r\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0w\\xffbe\\xfff7\\xffb8\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00h\\xfff1Ee\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffcf\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffc0Ke\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xfffe\\xffb4>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffd7Ke\\xffa3\\x02\\x00\\x00h\\xfff1Ee\\xffa3\\x02\\x00\\x00@\\xfff1Ee\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00P\\xffc0Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xfff1Ee\\xffa3\\x02\\x00\\x00P\\xffc0Ke\\xffa3\\x02\\x00\\x00\\xff90\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xff90\\xffe6Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xffa01Le\\xffa3\\x02\\x00\\x00\\xffa01Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffc0Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa01Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xffc0Ke\\xffa3\\x02\\x00\\x00\\xff90\\xffe6Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc00Le\\xffa3\\x02\\x00\\x00@\\xfff1Ee\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4585 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivationType" } ], "repeated": 0, "id": 4586 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Server" } ], "repeated": 0, "id": 4587 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\wpnapps.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\DllPath" } ], "repeated": 0, "id": 4588 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Threading" } ], "repeated": 0, "id": 4589 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\TrustLevel" } ], "repeated": 0, "id": 4590 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005e8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\CustomAttributes" } ], "repeated": 0, "id": 4591 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\RemoteServer" } ], "repeated": 0, "id": 4592 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateAsUser" } ], "repeated": 0, "id": 4593 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4594 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4595 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Permissions" } ], "repeated": 0, "id": 4596 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4597 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" } ], "repeated": 0, "id": 4598 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005e8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.ApplicationModel.TaskbarPinnableSurface" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface" } ], "repeated": 0, "id": 4599 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005e8" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00p\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00T\\x00a\\x00s\\x00k\\x00b\\x00a\\x00r\\x00P\\x00i\\x00n\\x00n\\x00a\\x00b\\x00l\\x00e\\x00S\\x00u\\x00r\\x00f\\x00a\\x00c\\x00e\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00h\\xfff4Ee\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\xffce\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00 \\xff8cKe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffee\\xffb4>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffd7Ke\\xffa3\\x02\\x00\\x00h\\xfff4Ee\\xffa3\\x02\\x00\\x00@\\xfff4Ee\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00 \\xff8cKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xfff4Ee\\xffa3\\x02\\x00\\x00 \\xff8cKe\\xffa3\\x02\\x00\\x00\\xff90\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xff90\\xffe6Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffd7Ke\\xffa3\\x02\\x00\\x00\\xffb0;Le\\xffa3\\x02\\x00\\x00\\xffb0;Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xff8cKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0;Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00 \\xff8cKe\\xffa3\\x02\\x00\\x00\\xff90\\xffe6Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff0\\xffcf\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff802Le\\xffa3\\x02\\x00\\x00@\\xfff4Ee\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4600 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivationType" } ], "repeated": 0, "id": 4601 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Server" } ], "repeated": 0, "id": 4602 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\windows.internal.shell.broker.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\DllPath" } ], "repeated": 0, "id": 4603 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Threading" } ], "repeated": 0, "id": 4604 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\TrustLevel" } ], "repeated": 0, "id": 4605 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005e8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\CustomAttributes" } ], "repeated": 0, "id": 4606 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\RemoteServer" } ], "repeated": 0, "id": 4607 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateAsUser" } ], "repeated": 0, "id": 4608 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4609 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4610 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Permissions" } ], "repeated": 0, "id": 4611 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005e8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4612 }, { "timestamp": "2026-05-28 22:02:14,307", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005e8" } ], "repeated": 0, "id": 4613 }, { "timestamp": "2026-05-28 22:02:14,322", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\dxgi" }, { "name": "DllBase", "value": "0x7ffc73f70000" } ], "repeated": 0, "id": 4614 }, { "timestamp": "2026-05-28 22:02:14,322", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\d3d11" }, { "name": "DllBase", "value": "0x7ffc71690000" } ], "repeated": 0, "id": 4615 }, { "timestamp": "2026-05-28 22:02:14,322", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\WININET" }, { "name": "DllBase", "value": "0x7ffc67810000" } ], "repeated": 0, "id": 4616 }, { "timestamp": "2026-05-28 22:02:14,338", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 4, "id": 4617 }, { "timestamp": "2026-05-28 22:02:14,432", "thread_id": "10832", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "__notification__", "api": "__anomaly__", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "10832" }, { "name": "Subcategory", "value": "unhook" }, { "name": "FunctionName", "value": "CommandLineToArgvW" }, { "name": "FunctionAddress", "value": "0x7ffc775ceb30" }, { "name": "UnhookType", "value": "restored" } ], "repeated": 0, "id": 4618 }, { "timestamp": "2026-05-28 22:02:14,447", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 21, "id": 4619 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\windows.internal.shell.broker" }, { "name": "DllBase", "value": "0x7ffc5b5a0000" } ], "repeated": 0, "id": 4620 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "gdi32.dll" }, { "name": "BaseAddress", "value": "0x7ffc77ed0000" } ], "repeated": 0, "id": 4621 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4622 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\windows.internal.shell.broker.dll" }, { "name": "BaseAddress", "value": "0x7ffc5b5a0000" } ], "repeated": 0, "id": 4623 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc5b5a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\windows.internal.shell.broker.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 4624 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.internal.shell.broker.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b5a0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b5e1860" } ], "repeated": 0, "id": 4625 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.internal.shell.broker.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b5a0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b5c2a90" } ], "repeated": 0, "id": 4626 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "windows.internal.shell.broker.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5b5a0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5b5c03b0" } ], "repeated": 0, "id": 4627 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 4628 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 4629 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 4630 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 4631 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 4632 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 4633 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 4634 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000600" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4635 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000600" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 4636 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4637 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4638 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4639 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000608" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4640 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000608" } ], "repeated": 0, "id": 4641 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 4642 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000600" } ], "repeated": 0, "id": 4643 }, { "timestamp": "2026-05-28 22:02:14,822", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000600" } ], "repeated": 0, "id": 4644 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4645 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4646 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4647 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4648 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "11128", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000051c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4649 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4650 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4651 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}" }, { "name": "Handle", "value": "0x00000606" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}" } ], "repeated": 0, "id": 4652 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000606" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000060a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}\\ProxyStubClsid32" } ], "repeated": 0, "id": 4653 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 4654 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" } ], "repeated": 0, "id": 4655 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" } ], "repeated": 0, "id": 4656 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "Handle", "value": "0x00000606" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" } ], "repeated": 0, "id": 4657 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4658 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4659 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xae\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\xaf\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 4660 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs" } ], "repeated": 0, "id": 4661 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4662 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000606" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs" } ], "repeated": 0, "id": 4663 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4664 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000606" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4665 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)" } ], "repeated": 0, "id": 4666 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)" } ], "repeated": 0, "id": 4667 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000606" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000060a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocServer32" } ], "repeated": 0, "id": 4668 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 4669 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 4670 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\PCShellCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 4671 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 4672 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" } ], "repeated": 0, "id": 4673 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4674 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4675 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xac\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x90\\xad\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 4676 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32" } ], "repeated": 0, "id": 4677 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4678 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000606" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32" } ], "repeated": 0, "id": 4679 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4680 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4681 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xac\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x90\\xad\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 4682 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler" } ], "repeated": 0, "id": 4683 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4684 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000606" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler" } ], "repeated": 0, "id": 4685 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" } ], "repeated": 0, "id": 4686 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4687 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4688 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "Handle", "value": "0x00000606" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" } ], "repeated": 0, "id": 4689 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4690 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4691 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xaa\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\xc0\\xab\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 4692 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs" } ], "repeated": 0, "id": 4693 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4694 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000606" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs" } ], "repeated": 0, "id": 4695 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4696 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000606" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4697 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)" } ], "repeated": 0, "id": 4698 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)" } ], "repeated": 0, "id": 4699 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000606" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000060a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocServer32" } ], "repeated": 0, "id": 4700 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 4701 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 4702 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\PCShellCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 4703 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 4704 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" } ], "repeated": 0, "id": 4705 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4706 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4707 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xa9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00P\\xaa\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 4708 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32" } ], "repeated": 0, "id": 4709 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4710 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000606" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32" } ], "repeated": 0, "id": 4711 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4712 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4713 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\xa9\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00P\\xaa\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 4714 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler" } ], "repeated": 0, "id": 4715 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4716 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000606" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler" } ], "repeated": 0, "id": 4717 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000606" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\LocalServer32" } ], "repeated": 0, "id": 4718 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000606" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\AppID" } ], "repeated": 0, "id": 4719 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 4720 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4721 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xa8\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\xb8\\x00\\x00\\x00\\x90\\xa9\\x92\\xf7\\xb8\\x00\\x00\\x00" } ], "repeated": 0, "id": 4722 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\LocalServer" } ], "repeated": 0, "id": 4723 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000606" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 4724 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000606" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\LocalServer" } ], "repeated": 0, "id": 4725 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000036a" }, { "name": "SubKey", "value": "CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "Handle", "value": "0x0000060a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" } ], "repeated": 0, "id": 4726 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000060a" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\Elevation" } ], "repeated": 0, "id": 4727 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060a" } ], "repeated": 0, "id": 4728 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" } ], "repeated": 0, "id": 4729 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" }, { "name": "Handle", "value": "0x00000606" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" } ], "repeated": 0, "id": 4730 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000606" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs" } ], "repeated": 0, "id": 4731 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000606" } ], "repeated": 0, "id": 4732 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4733 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4734 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\PCShellCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc5cbd0000" } ], "repeated": 0, "id": 4735 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\PCShellCommonProxyStub.dll" }, { "name": "BaseAddress", "value": "0x7ffc5cbd0000" } ], "repeated": 0, "id": 4736 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc5cbd0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\PCShellCommonProxyStub.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 4737 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "PCShellCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5cbd0000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5cbd1660" } ], "repeated": 0, "id": 4738 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "PCShellCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5cbd0000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 4739 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "PCShellCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5cbd0000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5cbd16a0" } ], "repeated": 0, "id": 4740 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4741 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4742 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 4743 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 4744 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 4745 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 4746 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 4747 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 4748 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 4749 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000604" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4750 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 4751 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4752 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000608" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4753 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4754 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4755 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 4756 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000608" } ], "repeated": 0, "id": 4757 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 4758 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000604" } ], "repeated": 0, "id": 4759 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4760 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xc0\\xe9Ie\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00`\\xeaIe\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\xeaIe\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x94\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xebIe\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xb0\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xebIe\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xd8\\xebIe\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf8\\xebIe\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xb0\\xeaIe\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x006\\xebIe\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00<\\xebIe\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 4761 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000060c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.UI.StartScreen.StartScreenManager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager" } ], "repeated": 0, "id": 4762 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000060c" }, { "name": "KeyInformation", "value": "N\\xffc1\\xffec\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00R\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00U\\x00I\\x00.\\x00S\\x00t\\x00a\\x00r\\x00t\\x00S\\x00c\\x00r\\x00e\\x00e\\x00n\\x00.\\x00S\\x00t\\x00a\\x00r\\x00t\\x00S\\x00c\\x00r\\x00e\\x00e\\x00n\\x00M\\x00a\\x00n\\x00a\\x00g\\x00e\\x00r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffc7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc6\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x0e\\xffbc>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffdbKe\\xffa3\\x02\\x00\\x00\\xfff8\\xffc7He\\xffa3\\x02\\x00\\x00\\xffd0\\xffc7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc7He\\xffa3\\x02\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\xffd0\\xffdbKe\\xffa3\\x02\\x00\\x00P\\xffeaKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffdbKe\\xffa3\\x02\\x00\\x00\\xffc07Le\\xffa3\\x02\\x00\\x00\\xffc07Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc07Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00P\\xffeaKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc7\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x006Le\\xffa3\\x02\\x00\\x00\\xffd0\\xffc7He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4763 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivationType" } ], "repeated": 0, "id": 4764 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Server" } ], "repeated": 0, "id": 4765 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\wpnapps.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\DllPath" } ], "repeated": 0, "id": 4766 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Threading" } ], "repeated": 0, "id": 4767 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\TrustLevel" } ], "repeated": 0, "id": 4768 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000060c" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\CustomAttributes" } ], "repeated": 0, "id": 4769 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\RemoteServer" } ], "repeated": 0, "id": 4770 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateAsUser" } ], "repeated": 0, "id": 4771 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4772 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4773 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Permissions" } ], "repeated": 0, "id": 4774 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000060c" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4775 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 4776 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 4777 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c8" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.System.User" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User" } ], "repeated": 0, "id": 4778 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000005c8" }, { "name": "KeyInformation", "value": "\\xffd9E\\x04\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00&\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00S\\x00y\\x00s\\x00t\\x00e\\x00m\\x00.\\x00U\\x00s\\x00e\\x00r\\x00\\x00\\x00\\xff88\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffc7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffc6\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff90\\xffebKe\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00N\\xffbc>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd9Ke\\xffa3\\x02\\x00\\x00\\xfff8\\xffc7He\\xffa3\\x02\\x00\\x00\\xffd0\\xffc7He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xff90\\xffebKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc7He\\xffa3\\x02\\x00\\x00\\xff90\\xffebKe\\xffa3\\x02\\x00\\x00P\\xffd9Ke\\xffa3\\x02\\x00\\x00\\x00\\xffefKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd9Ke\\xffa3\\x02\\x00\\x00\\xff802Le\\xffa3\\x02\\x00\\x00\\xff802Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffebKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff802Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff90\\xffebKe\\xffa3\\x02\\x00\\x00\\x00\\xffefKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\xffc7\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00`:Le\\xffa3\\x02\\x00\\x00\\xffd0\\xffc7He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4779 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivationType" } ], "repeated": 0, "id": 4780 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "UserManager" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Server" } ], "repeated": 0, "id": 4781 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\DllPath" } ], "repeated": 0, "id": 4782 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Threading" } ], "repeated": 0, "id": 4783 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\TrustLevel" } ], "repeated": 0, "id": 4784 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000005c8" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\CustomAttributes" } ], "repeated": 0, "id": 4785 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\RemoteServer" } ], "repeated": 0, "id": 4786 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateAsUser" } ], "repeated": 0, "id": 4787 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4788 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4789 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x000000ea", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Type", "value": "0xb800000003" }, { "name": "DataLength", "value": "184" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Permissions" } ], "repeated": 0, "id": 4790 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "Permissions" }, { "name": "Data", "value": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Permissions" } ], "repeated": 0, "id": 4791 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4792 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" } ], "repeated": 0, "id": 4793 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4794 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4795 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4796 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}" }, { "name": "Handle", "value": "0x00000612" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}" } ], "repeated": 0, "id": 4797 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000612" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000616" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}\\ProxyStubClsid32" } ], "repeated": 0, "id": 4798 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000616" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 4799 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000616" } ], "repeated": 0, "id": 4800 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000612" } ], "repeated": 0, "id": 4801 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4802 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4803 }, { "timestamp": "2026-05-28 22:02:14,854", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4804 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{E44EA1DF-BB85-5A8C-BDDC-C8E960C355C9}" }, { "name": "Handle", "value": "0x000005ea" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{E44EA1DF-BB85-5A8C-BDDC-C8E960C355C9}" } ], "repeated": 0, "id": 4805 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005ea" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000005ba" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e44ea1df-bb85-5a8c-bddc-c8e960c355c9}\\ProxyStubClsid32" } ], "repeated": 0, "id": 4806 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ba" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e44ea1df-bb85-5a8c-bddc-c8e960c355c9}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 4807 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ba" } ], "repeated": 0, "id": 4808 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ea" } ], "repeated": 0, "id": 4809 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4810 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4811 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{8CBD762A-1222-5EE5-B745-489E7A42C6EC}" }, { "name": "Handle", "value": "0x000005ea" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8CBD762A-1222-5EE5-B745-489E7A42C6EC}" } ], "repeated": 0, "id": 4812 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000005ea" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x000005ba" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8cbd762a-1222-5ee5-b745-489e7a42c6ec}\\ProxyStubClsid32" } ], "repeated": 0, "id": 4813 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ba" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8cbd762a-1222-5ee5-b745-489e7a42c6ec}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 4814 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ba" } ], "repeated": 0, "id": 4815 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005ea" } ], "repeated": 0, "id": 4816 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4817 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4818 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "11124", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60ed53ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4819 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4820 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4821 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4822 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4823 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "99B29D3B-368A-4BE6-B675-805A69114497" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4824 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4825 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4826 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4827 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4828 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4829 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4830 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000614" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.Tiles.TileStore" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore" } ], "repeated": 0, "id": 4831 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000614" }, { "name": "KeyInformation", "value": "7_\\xffea\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00@\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00T\\x00i\\x00l\\x00e\\x00s\\x00.\\x00T\\x00i\\x00l\\x00e\\x00S\\x00t\\x00o\\x00r\\x00e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0w\\xffbe\\xfff7\\xffb8\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00h\\xfff0Ee\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffc6\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x10\\xffc4Ke\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xff9e\\xffbb>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd8Ke\\xffa3\\x02\\x00\\x00h\\xfff0Ee\\xffa3\\x02\\x00\\x00@\\xfff0Ee\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\x10\\xffc4Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xfff0Ee\\xffa3\\x02\\x00\\x00\\x10\\xffc4Ke\\xffa3\\x02\\x00\\x00P\\xffd8Ke\\xffa3\\x02\\x00\\x00P\\xffefKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd8Ke\\xffa3\\x02\\x00\\x00`:Le\\xffa3\\x02\\x00\\x00`:Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xffc4Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`:Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\x10\\xffc4Ke\\xffa3\\x02\\x00\\x00P\\xffefKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xffc7\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc00Le\\xffa3\\x02\\x00\\x00@\\xfff0Ee\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4832 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivationType" } ], "repeated": 0, "id": 4833 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Server" } ], "repeated": 0, "id": 4834 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\TileDataRepository.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\DllPath" } ], "repeated": 0, "id": 4835 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Threading" } ], "repeated": 0, "id": 4836 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\TrustLevel" } ], "repeated": 0, "id": 4837 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x00000614" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\CustomAttributes" } ], "repeated": 0, "id": 4838 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\RemoteServer" } ], "repeated": 0, "id": 4839 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateAsUser" } ], "repeated": 0, "id": 4840 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4841 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4842 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Permissions" } ], "repeated": 0, "id": 4843 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4844 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" } ], "repeated": 0, "id": 4845 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4846 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4847 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4848 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4849 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4850 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4851 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4852 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4853 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4854 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4855 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4856 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4857 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000478" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4858 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4859 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\nLe\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 4860 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 4861 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4862 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4863 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4864 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4865 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4866 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4867 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4868 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4869 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4870 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4871 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4872 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000061c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.StateRepository.TileView" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView" } ], "repeated": 0, "id": 4873 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000061c" }, { "name": "KeyInformation", "value": "\\xfffci\\x0e\\xffd4\\xffde\\xffac\\xffd5\\x01\\x00\\x00\\x00\\x00R\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00S\\x00t\\x00a\\x00t\\x00e\\x00R\\x00e\\x00p\\x00o\\x00s\\x00i\\x00t\\x00o\\x00r\\x00y\\x00.\\x00T\\x00i\\x00l\\x00e\\x00V\\x00i\\x00e\\x00w\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\xfffc\\x7f\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00\\xfff8\\xffc3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xffc2\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffae\\xffc7>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd8Ke\\xffa3\\x02\\x00\\x00\\xfff8\\xffc3He\\xffa3\\x02\\x00\\x00\\xffd0\\xffc3He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc3He\\xffa3\\x02\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00P\\xffd8Ke\\xffa3\\x02\\x00\\x00\\x10\\xffeeKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffd8Ke\\xffa3\\x02\\x00\\x00\\xff90\\x05Ie\\xffa3\\x02\\x00\\x00\\xff90\\x05Ie\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff90\\x05Ie\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00\\xffd0\\xffc2He\\xffa3\\x02\\x00\\x00\\x10\\xffeeKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xffc3\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffb0\\x04Ie\\xffa3\\x02\\x00\\x00\\xffd0\\xffc3He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4874 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivationType" } ], "repeated": 0, "id": 4875 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "Server" }, { "name": "Data", "value": "StateRepository" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Server" } ], "repeated": 0, "id": 4876 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "DllPath" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\DllPath" } ], "repeated": 0, "id": 4877 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "Threading" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Threading" } ], "repeated": 0, "id": 4878 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\TrustLevel" } ], "repeated": 0, "id": 4879 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000061c" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\CustomAttributes" } ], "repeated": 0, "id": 4880 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\RemoteServer" } ], "repeated": 0, "id": 4881 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateAsUser" } ], "repeated": 0, "id": 4882 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4883 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4884 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Permissions" } ], "repeated": 0, "id": 4885 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4886 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" } ], "repeated": 0, "id": 4887 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4888 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4889 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 4890 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000003c6" }, { "name": "SubKey", "value": "Interface\\{6D3BC882-23A4-4706-B8FA-FC7DE2FC325D}" }, { "name": "Handle", "value": "0x0000061e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6D3BC882-23A4-4706-B8FA-FC7DE2FC325D}" } ], "repeated": 0, "id": 4891 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000061e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000622" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32" } ], "repeated": 0, "id": 4892 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000622" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 4893 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000622" } ], "repeated": 0, "id": 4894 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061e" } ], "repeated": 0, "id": 4895 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4896 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4897 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654ca000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4898 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces" }, { "name": "Handle", "value": "0x0000061c" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces" } ], "repeated": 0, "id": 4899 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "DefaultStart" }, { "name": "Data", "value": "Windows.Internal.ApplicationModel.StartPinnableSurface" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces\\DefaultStart" } ], "repeated": 0, "id": 4900 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" } ], "repeated": 0, "id": 4901 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000061c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "ApplicationService:29e01dceeeda2acba75" } ], "repeated": 0, "id": 4902 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000061c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36af80000" }, { "name": "SectionOffset", "value": "0xb8f792cd10" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4903 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367f00000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4904 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367f02000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4905 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367f03000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4906 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36af80000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 4907 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" } ], "repeated": 0, "id": 4908 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367f02000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 4909 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "MutexName", "value": "Local\\SM0:10720:120:WilError_03" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4910 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 4911 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4912 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4913 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4914 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000624" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4915 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000624" } ], "repeated": 0, "id": 4916 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000620" } ], "repeated": 0, "id": 4917 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" } ], "repeated": 0, "id": 4918 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" } ], "repeated": 0, "id": 4919 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000061c" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000378" }, { "name": "ObjectAttributesName", "value": "Windows.Internal.ApplicationModel.StartPinnableSurface" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface" } ], "repeated": 0, "id": 4920 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000061c" }, { "name": "KeyInformation", "value": "\\xff97\\xfffc\\xffe7\\xffe6\\xfff8\\xffee\\xffdc\\x01\\x00\\x00\\x00\\x00l\\x00\\x00\\x00W\\x00i\\x00n\\x00d\\x00o\\x00w\\x00s\\x00.\\x00I\\x00n\\x00t\\x00e\\x00r\\x00n\\x00a\\x00l\\x00.\\x00A\\x00p\\x00p\\x00l\\x00i\\x00c\\x00a\\x00t\\x00i\\x00o\\x00n\\x00M\\x00o\\x00d\\x00e\\x00l\\x00.\\x00S\\x00t\\x00a\\x00r\\x00t\\x00P\\x00i\\x00n\\x00n\\x00a\\x00b\\x00l\\x00e\\x00S\\x00u\\x00r\\x00f\\x00a\\x00c\\x00e\\x00\\x00\\x00\\x00\\x00\\xffb0E\\xffe7w\\xfffc\\x7f\\x00\\x00x\\xffc9He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffc5\\xff92\\xfff7\\xffb8\\x00\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xff92Ke\\xffa3\\x02\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00>\\xffbb>$\\xffbd\\xffaa\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffa3Le\\xffa3\\x02\\x00\\x00x\\xffc9He\\xffa3\\x02\\x00\\x00P\\xffc9He\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff87\\xff9d\\xffbbw\\xfffc\\x7f\\x00\\x00P\\xff92Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffc9He\\xffa3\\x02\\x00\\x00P\\xff92Ke\\xffa3\\x02\\x00\\x00P\\xffa3Le\\xffa3\\x02\\x00\\x00\\xffa0\\xffeaKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfff6s\\xffbbw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff80\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xffa3Le\\xffa3\\x02\\x00\\x00p=Le\\xffa3\\x02\\x00\\x00p=Le\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xff92Ke\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00p=Le\\xffa3\\x02\\x00\\x00\\xff8c\\xffc2\\xffffw\\xfffc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\xffa3\\x02\\x00\\x00P\\xff92Ke\\xffa3\\x02\\x00\\x00\\xffa0\\xffeaKe\\xffa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xffc0\\xffc6\\xff92\\xfff7\\xffb8\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x00`:Le\\xffa3\\x02\\x00\\x00P\\xffc9He\\xffa3\\x02\\x00\\x00" }, { "name": "KeyInformationClass", "value": "0" } ], "repeated": 0, "id": 4921 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivationType" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivationType" } ], "repeated": 0, "id": 4922 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "Server" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Server" } ], "repeated": 0, "id": 4923 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "DllPath" }, { "name": "Data", "value": "C:\\Windows\\System32\\StartTileData.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\DllPath" } ], "repeated": 0, "id": 4924 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "Threading" }, { "name": "Data", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Threading" } ], "repeated": 0, "id": 4925 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "TrustLevel" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\TrustLevel" } ], "repeated": 0, "id": 4926 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000061c" }, { "name": "SubKey", "value": "CustomAttributes" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\CustomAttributes" } ], "repeated": 0, "id": 4927 }, { "timestamp": "2026-05-28 22:02:14,869", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "RemoteServer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\RemoteServer" } ], "repeated": 0, "id": 4928 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateAsUser" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateAsUser" } ], "repeated": 0, "id": 4929 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateInSharedBroker" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInSharedBroker" } ], "repeated": 0, "id": 4930 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateInBrokerForMediumILContainer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInBrokerForMediumILContainer" } ], "repeated": 0, "id": 4931 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "Permissions" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Permissions" } ], "repeated": 0, "id": 4932 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000061c" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateOnHostFlags" } ], "repeated": 0, "id": 4933 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000061c" } ], "repeated": 0, "id": 4934 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\USERENV" }, { "name": "DllBase", "value": "0x7ffc75560000" } ], "repeated": 0, "id": 4935 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\Bcp47Langs" }, { "name": "DllBase", "value": "0x7ffc6a640000" } ], "repeated": 0, "id": 4936 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\StartTileData" }, { "name": "DllBase", "value": "0x7ffc5fb10000" } ], "repeated": 0, "id": 4937 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xb0F\\x0e\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 4938 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "11032", "caller": "0x7ffc75704448", "parentcaller": "0x7ffc1ec3f766", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00041000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4939 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00\\x18\\x01\\x00\\x00=\\x8c\\x17\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\xa0\\x00\\x00\\x008\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17\\xdfy\\x1d\\x01\\x00\\x00\\x00C\\x16\\xcbF\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x1c\\x00\\x00\\x00 \\x00-\\x00-\\x00p\\x00r\\x00o\\x00f\\x00i\\x00l\\x00e\\x00-\\x00d\\x00i\\x00r\\x00e\\x00c\\x00" }, { "name": "Length", "value": "280" } ], "repeated": 0, "id": 4940 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\StartTileData.dll" }, { "name": "BaseAddress", "value": "0x7ffc5fb10000" } ], "repeated": 0, "id": 4941 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc5fb10000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\StartTileData.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 4942 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "StartTileData.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5fb10000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5fbe7f30" } ], "repeated": 0, "id": 4943 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "StartTileData.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5fb10000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5fbc2270" } ], "repeated": 0, "id": 4944 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "StartTileData.dll" }, { "name": "ModuleHandle", "value": "0x7ffc5fb10000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc5fbda890" } ], "repeated": 0, "id": 4945 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000a" }, { "name": "TokenHandle", "value": "0x00000624" } ], "repeated": 0, "id": 4946 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000624" } ], "repeated": 0, "id": 4947 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000624" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" } ], "repeated": 0, "id": 4948 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000624" }, { "name": "ValueName", "value": "shellExperience" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience" } ], "repeated": 0, "id": 4949 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xca\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00 \\x02\\x00\\x00\\xd0\\x81<%\\x1e2\\x005\\xb7x)\\x13I=\\x97*\\xee\\xce'\\xd6\\x97\\xec#0mJQa\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 4950 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000624" } ], "repeated": 0, "id": 4951 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000628" } ], "repeated": 0, "id": 4952 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 4953 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 4954 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 4955 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 4956 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 4957 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 4958 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 4959 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x00000628" }, { "name": "MutexName", "value": "Local\\SM0:10720:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 4960 }, { "timestamp": "2026-05-28 22:02:14,885", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000628" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 4961 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4962 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000062c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4963 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4964 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4965 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 4966 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000062c" } ], "repeated": 0, "id": 4967 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000628" } ], "repeated": 0, "id": 4968 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000628" } ], "repeated": 0, "id": 4969 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xf0\\x9b\\x17\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 4970 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4971 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4972 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4973 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4974 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4975 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4976 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 4977 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 4978 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 4979 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00Q\\xa3\\x17\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 4980 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 4981 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc775b0000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 4982 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "shcore.dll" }, { "name": "ModuleHandle", "value": "0x7ffc775b0000" }, { "name": "FunctionName", "value": "CommandLineToArgvW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc775ceb30" } ], "repeated": 0, "id": 4983 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2a3654db290", "arguments": [ { "name": "CommandLine", "value": "prog --profile-directory=Default" }, { "name": "NumArgs", "value": "2" } ], "repeated": 0, "id": 4984 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 4985 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4986 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654df000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4987 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654e0000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4988 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\xf0Me\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\xf0Me\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf1Me\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xf2Me\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf2Me\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf2Me\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@\\xf1Me\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc6\\xf1Me\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc\\xf1Me\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 4989 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4990 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\xf0Me\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\xf0Me\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf1Me\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xf2Me\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf2Me\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf2Me\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@\\xf1Me\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc6\\xf1Me\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc\\xf1Me\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 4991 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 4992 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\xf0Me\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\xf0Me\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\xf1Me\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\xf2Me\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xf2Me\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\xf2Me\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\xf2Me\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@\\xf1Me\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc6\\xf1Me\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc\\xf1Me\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 4993 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xbe\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xe4)\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "10724" } ], "repeated": 0, "id": 4994 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00o\\xa7\\x17\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 4995 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 4996 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc6128e80f", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000618" } ], "repeated": 0, "id": 4997 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc612866f7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 4998 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 4999 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654cf000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5000 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5001 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 5002 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c21dfa", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "99B29D3B-368A-4BE6-B675-805A69114497" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5003 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 5004 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc6126dc24", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 5005 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 5006 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5007 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 3, "id": 5008 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e08ee", "parentcaller": "0x7ffc77c38bd7", "category": "process", "api": "NtOpenProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000060c" }, { "name": "DesiredAccess", "value": "0x00001000", "pretty_value": "PROCESS_QUERY_LIMITED_INFORMATION" }, { "name": "ProcessIdentifier", "value": "10720" } ], "repeated": 0, "id": 5009 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000060c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000618" } ], "repeated": 0, "id": 5010 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5011 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654e2000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5012 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\x00Ne\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\x00Ne\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x01Ne\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$\\x02Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x02Ne\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\x02Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x02Ne\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\x02Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x02Ne\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@\\x01Ne\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc6\\x01Ne\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc\\x01Ne\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 5013 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 5014 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc756ecbb0", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x0000060c" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000618" } ], "repeated": 0, "id": 5015 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756eaa1f", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5016 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756eaaa8", "parentcaller": "0x7ffc756ecb7c", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00P\\x00Ne\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00\\xf0\\x00Ne\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x01Ne\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00$\\x02Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x008\\x02Ne\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00@\\x02Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\x02Ne\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00h\\x02Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x88\\x02Ne\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00@\\x01Ne\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\xc6\\x01Ne\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00\\xcc\\x01Ne\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 5017 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc756ecbbe", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 5018 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60e69183", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000060c" } ], "repeated": 0, "id": 5019 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5020 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5021 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5022 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5023 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000060c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 5024 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c697", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5025 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc6126c717", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xd6Me\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 5026 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc612616e6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 5027 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654e3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5028 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5029 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5030 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5031 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5032 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 5033 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "4370" } ], "repeated": 0, "id": 5034 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000062c" } ], "repeated": 0, "id": 5035 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11132", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c5b05", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa0\\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00|+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11132" } ], "repeated": 0, "id": 5036 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11168", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775f84de", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xa0+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11168" } ], "repeated": 0, "id": 5037 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5038 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5039 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5040 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11168", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000037c" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5041 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11168", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5042 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11168", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5043 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654e4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5044 }, { "timestamp": "2026-05-28 22:02:14,900", "thread_id": "11156", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 5045 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "11156", "caller": "0x7ffc77ff2caa", "parentcaller": "0x7ffc77ff2fbd", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a3654f1000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5046 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "11168", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xa0+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11168" } ], "repeated": 0, "id": 5047 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000062c" } ], "repeated": 1, "id": 5048 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00 \\xe2\\x17\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 5049 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5050 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 5051 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "11156", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc775c712f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x94+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11156" } ], "repeated": 0, "id": 5052 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5053 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "C2F03A33-21F5-47FA-B4BB-156362A2F239" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6D5140C1-7436-11CE-8034-00AA006009FA" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5054 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5055 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 5056 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5057 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5058 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5059 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5060 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5061 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "39" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xb0\\x10Ne\\xa3\\x02\\x00\\x00\\x1c\\x00\\x1c\\x00\\x00\\x00\\x00\\x00P\\x11Ne\\xa3\\x02\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00p\\x11Ne\\xa3\\x02\\x00\\x00\\x12\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x84\\x12Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\x12Ne\\xa3\\x02\\x00\\x00\\x1e\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\xa0\\x12Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\x12Ne\\xa3\\x02\\x00\\x00 \\x00 \\x00\\x00\\x00\\x00\\x00\\xc8\\x12Ne\\xa3\\x02\\x00\\x00\\x02\\x00\\x00\\x00A\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x12Ne\\xa3\\x02\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00S\\x00Y\\x00S\\x00A\\x00P\\x00P\\x00I\\x00D\\x00\\x00\\x00\\x00\\x00\\x86\\x00\\x86\\x00\\x00\\x00\\x00\\x00\\xa0\\x11Ne\\xa3\\x02\\x00\\x00\\x06\\x00\\x06\\x00\\x00\\x00\\x00\\x00&\\x12Ne\\xa3\\x02\\x00\\x00X\\x00X\\x00\\x00\\x00\\x00\\x00,\\x12Ne\\xa3\\x02\\x00\\x00" } ], "repeated": 0, "id": 5062 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "11132", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000062c" } ], "repeated": 0, "id": 5063 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5064 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5065 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5066 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "11128", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc60ed53ef", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 5067 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5068 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5069 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5070 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5071 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "99B29D3B-368A-4BE6-B675-805A69114497" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5072 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5073 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5074 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5075 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5076 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5077 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5078 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5079 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5080 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5081 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5082 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5083 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5084 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5085 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5086 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5087 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5088 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000614" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5089 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5090 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000005c8" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5091 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 5092 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "P\\x04Le\\xa3\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xa4\\xd3\\xd9\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00" } ], "repeated": 0, "id": 5093 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000610" } ], "repeated": 0, "id": 5094 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5095 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5096 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5097 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5098 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5099 }, { "timestamp": "2026-05-28 22:02:14,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 5100 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5101 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5102 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5103 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5104 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5105 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5106 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces" }, { "name": "Handle", "value": "0x00000630" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces" } ], "repeated": 0, "id": 5107 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000630" }, { "name": "ValueName", "value": "DefaultStart" }, { "name": "Data", "value": "Windows.Internal.ApplicationModel.StartPinnableSurface" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces\\DefaultStart" } ], "repeated": 0, "id": 5108 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000630" } ], "repeated": 0, "id": 5109 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000630" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "ApplicationService:29e01dceeeda2acba75" } ], "repeated": 0, "id": 5110 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000630" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36af90000" }, { "name": "SectionOffset", "value": "0xb8f792cd10" }, { "name": "ViewSize", "value": "0x00010000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5111 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367f02000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5112 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemoryEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367f03000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5113 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36af90000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 5114 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000630" } ], "repeated": 0, "id": 5115 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367f02000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 5116 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x0000000a" }, { "name": "TokenHandle", "value": "0x00000630" } ], "repeated": 0, "id": 5117 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000630" } ], "repeated": 0, "id": 5118 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000630" }, { "name": "DesiredAccess", "value": "0x80000000", "pretty_value": "0x80000000" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities" } ], "repeated": 0, "id": 5119 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000630" }, { "name": "ValueName", "value": "shellExperience" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience" } ], "repeated": 0, "id": 5120 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xca\\x92\\xf7\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00 \\x02\\x00\\x00\\xd0\\x81<%\\x1e2\\x005\\xb7x)\\x13I=\\x97*\\xee\\xce'\\xd6\\x97\\xec#0mJQa\\x00\\x00\\x18\\x00\\x01\\x00\\x00\\x00\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 5121 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000630" } ], "repeated": 0, "id": 5122 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000634" } ], "repeated": 0, "id": 5123 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00uC\\x18\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00|\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 5124 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5125 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5126 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5127 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5128 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5129 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5130 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5131 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000460" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5132 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000618" } ], "repeated": 0, "id": 5133 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5134 }, { "timestamp": "2026-05-28 22:02:14,932", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "4975" } ], "repeated": 0, "id": 5135 }, { "timestamp": "2026-05-28 22:02:19,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00152000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5136 }, { "timestamp": "2026-05-28 22:02:19,916", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xf1=d\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5137 }, { "timestamp": "2026-05-28 22:02:19,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00W=d\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00+\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 5138 }, { "timestamp": "2026-05-28 22:02:19,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00153000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5139 }, { "timestamp": "2026-05-28 22:02:19,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5140 }, { "timestamp": "2026-05-28 22:02:19,916", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "22" } ], "repeated": 0, "id": 5141 }, { "timestamp": "2026-05-28 22:02:19,947", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00l\\xb6d\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5142 }, { "timestamp": "2026-05-28 22:02:19,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00/\\xb5d\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00&\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 5143 }, { "timestamp": "2026-05-28 22:02:19,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5144 }, { "timestamp": "2026-05-28 22:02:19,947", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "980" } ], "repeated": 0, "id": 5145 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00164000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5146 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00118000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 5147 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc0011c000" }, { "name": "RegionSize", "value": "0x00004000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 5148 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00140000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 5149 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00164000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 5150 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x3edc00108000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 5151 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5152 }, { "timestamp": "2026-05-28 22:02:20,994", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "3952" } ], "repeated": 0, "id": 5153 }, { "timestamp": "2026-05-28 22:02:22,963", "thread_id": "11012", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb4ee58", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5154 }, { "timestamp": "2026-05-28 22:02:22,963", "thread_id": "11012", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb4ee58", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000294" }, { "name": "Milliseconds", "value": "10000" } ], "repeated": 0, "id": 5155 }, { "timestamp": "2026-05-28 22:02:25,025", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00p\\x00\\x00\\x00\\xb9?\\xb2\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x14\\x00\\x00\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00H\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00{\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "112" } ], "repeated": 0, "id": 5156 }, { "timestamp": "2026-05-28 22:02:25,025", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5157 }, { "timestamp": "2026-05-28 22:02:25,025", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" }, { "name": "Milliseconds", "value": "3968" } ], "repeated": 0, "id": 5158 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc756e5810", "parentcaller": "0x7ffc1fa0f3bb", "category": "filesystem", "api": "NtReadFile", "status": true, "return": "0x00000103", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xc9\\x88\\xc2\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00&\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5159 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "RoUninitialize" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c508e0" } ], "repeated": 0, "id": 5160 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5161 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc729df000" }, { "name": "ModuleName", "value": "PROPSYS.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 5162 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 5163 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc7571bd56", "parentcaller": "0x7ffc1f8a9c3f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "\\x84J\\x90\\x02\\x00\\x00\\x00\\x00|\\xed]\\xa2W\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 5164 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc1f8a9d10", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x18+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 5165 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc756e53aa", "parentcaller": "0x7ffc1f5e0093", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\x0f\\x94\\xc2\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5166 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc7571bd56", "parentcaller": "0x7ffc1f8a9c3f", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "23" }, { "name": "ThreadInformation", "value": "6F\\x9e\\x02\\x00\\x00\\x00\\x00\\xca/m\\xa2W\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 5167 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc1f8a9d10", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x18+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 5168 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a366df0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 5169 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367dd0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 5170 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xdc\\x95\\xc2\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5171 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00001774" }, { "name": "HandleName", "value": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" }, { "name": "Buffer", "value": "\\x10\\x00\\x00\\x00@\\x00\\x00\\x00\\xd2\\x96\\xc2\\x05\\x00\\x00\\x00\\x00\\x18\\x00\\x16\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "Length", "value": "64" } ], "repeated": 0, "id": 5172 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 5173 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 5174 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c87c5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5175 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c87c5", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5176 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c8812", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 5177 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ff66cac4c88", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 5178 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc1fc09d18", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xa0\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x18+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 5179 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ff66cac4c88", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 5180 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc7802467e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 5181 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11032", "caller": "0x7ffc7802469e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 5182 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000308" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x18+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11032" } ], "repeated": 0, "id": 5183 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 5184 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 5185 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" } ], "repeated": 0, "id": 5186 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 5187 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1fb4eec1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 5188 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c87c5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5189 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c87c5", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5190 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c8812", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 5191 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ff66cac4c88", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 5192 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc1fc09d18", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc0\\xbf\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x0c+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11020" } ], "repeated": 0, "id": 5193 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ff66cac4c88", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 5194 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ffc7802467e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11020" } ], "repeated": 0, "id": 5195 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11020", "caller": "0x7ffc7802469e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 5196 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002e4" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\x0c+\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11020" } ], "repeated": 0, "id": 5197 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 5198 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 5199 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5200 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5201 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 5202 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 5203 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367c30000" }, { "name": "RegionSize", "value": "0x000d6000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 5204 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000280" } ], "repeated": 0, "id": 5205 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000027c" } ], "repeated": 0, "id": 5206 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a36c000000" }, { "name": "RegionSize", "value": "0x021d5000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 5207 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 5208 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 5209 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367a40000" }, { "name": "RegionSize", "value": "0x001e6000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 5210 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000278" } ], "repeated": 0, "id": 5211 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000274" } ], "repeated": 0, "id": 5212 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2a367900000" }, { "name": "RegionSize", "value": "0x0013b000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 5213 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 5214 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000026c" } ], "repeated": 0, "id": 5215 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc771e0000" }, { "name": "FunctionName", "value": "UnregisterTraceGuids" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78020340" } ], "repeated": 0, "id": 5216 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000028c" } ], "repeated": 0, "id": 5217 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c87c5", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5218 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c87c5", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 5219 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc1f4c8812", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 5220 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ff66cac4c88", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 5221 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ffc7571ebae", "parentcaller": "0x7ffc1fc09d18", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x03\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00`\\xbf\\xf7\\xb8\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xfc*\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11004" } ], "repeated": 0, "id": 5222 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ff66cac4c88", "parentcaller": "0x00000000", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 5223 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ffc7802467e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11004" } ], "repeated": 0, "id": 5224 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "11004", "caller": "0x7ffc7802469e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 5225 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000254" }, { "name": "ThreadInformationClass", "value": "0", "pretty_value": "ThreadBasicInformation" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0)\\x00\\x00\\x00\\x00\\x00\\x00\\xfc*\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "11004" } ], "repeated": 0, "id": 5226 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 5227 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab649", "parentcaller": "0x7ff66cb64f22", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 5228 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 5229 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 5230 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66cac4c88", "parentcaller": "0x7ff66caab649", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 5231 }, { "timestamp": "2026-05-28 22:02:26,104", "thread_id": "10724", "caller": "0x7ff66caab65c", "parentcaller": "0x7ff66cb64f22", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 5232 } ], "threads": [ "10724", "10844", "10840", "10836", "10832", "11000", "11004", "11008", "11012", "11020", "11024", "11028", "11032", "10808", "11120", "11124", "11128", "11132", "11136", "11140", "11156", "11168" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff66ca90000", "MainExeSize": "0x0028c000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 9716, "process_name": "dllhost.exe", "parent_id": 740, "module_path": "C:\\Windows\\System32\\dllhost.exe", "first_seen": "2026-05-28 22:03:01,019", "calls": [ { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9720", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9720", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ff699df14e0" }, { "name": "Parameter", "value": "0x9b1b155000" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "11128", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 3, "id": 2 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9948", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9948", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1ed0" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "11128", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "11128", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb2030" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "11028", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "11028", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1e10" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "10576", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e68000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "10576", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 10 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "10576", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc33bb1a00" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1349", "parentcaller": "0x7ff699df13dc", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff699df1b60" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x00000206" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "42" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "9720" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "kernel.appcore.dll" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000200" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001fc" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000200" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734bf000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000200" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b5000" }, { "name": "ModuleName", "value": "kernel.appcore.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-05-28 22:03:01,676", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffc734b0000" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\kernel.appcore" }, { "name": "BaseAddress", "value": "0x7ffc734b0000" }, { "name": "InitRoutine", "value": "0x7ffc734b3f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001fc" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001fc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001fc" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76007000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000214" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000210" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000214" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000214" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000214" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "\\wn\\xc8\\xe2\\xc3\\xd7\\x8d\\xef\\x14\\xc1\\x9a\\xf2s\\x84\\xabgV;\\xc0\\xe1\\xb5\\xaf\\xabr\\x9b\\xe1$\\xb8\\xe3\\x06lh\\xba\\x87\\xd3|7\\x91\\xa9\\x0b\\xaf\\x0e\\x16\\xf7Qr\\x9b" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" }, { "name": "InitRoutine", "value": "0x7ffc75fd8b60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df1153", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e6c000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CLSIDFromOle1Class" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c1f760" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x0000022c" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x90\\xf2\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\\xc0\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xbd\\xd93\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff@\\xf3\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xc0\\xd93" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "synchronization", "api": "NtCreateMutant", "status": true, "return": "0x40000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" }, { "name": "MutexName", "value": "Local\\SM0:9716:304:WilStaging_02" }, { "name": "InitialOwner", "value": "0" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 74 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 76 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "synchronization", "api": "NtReleaseMutant", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f326950000" }, { "name": "SectionOffset", "value": "0x9b1afdf360" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\COM3" }, { "name": "Handle", "value": "0x00000234" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" }, { "name": "ValueName", "value": "Com+Enabled" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "clbcatq.dll" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-05-28 22:03:01,769", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000234" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc765f0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x000a9000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76694000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76669000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76668000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc76668000" }, { "name": "ModuleName", "value": "clbcatq.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffc765f0000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "synchronization", "api": "NtOpenEvent", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023c" }, { "name": "EventName", "value": "\\KernelObjects\\MaximumCommitCondition" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\clbcatq" }, { "name": "BaseAddress", "value": "0x7ffc765f0000" }, { "name": "InitRoutine", "value": "0x7ffc7660d990" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 102 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000240" }, { "name": "DesiredAccess", "value": "0x00000004" }, { "name": "ObjectAttributes", "value": "Global\\__ComCatalogCache__" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000240" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f326970000" }, { "name": "SectionOffset", "value": "0x9b1afdf0b0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x00000246" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000246" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 106 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Delivery Optimization User" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "LocalService" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalService" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "RunAs" }, { "name": "Data", "value": "Interactive User" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RunAs" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "ActivateAtStorage" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateAtStorage" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x0000024a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "ROTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ROTFlags" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "AppIDFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppIDFlags" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "MGOTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\MGOTFlags" } ], "repeated": 0, "id": 117 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000024a" }, { "name": "ValueName", "value": "ProcessMitigationPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProcessMitigationPolicy" } ], "repeated": 0, "id": 118 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024a" } ], "repeated": 0, "id": 119 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission" } ], "repeated": 0, "id": 120 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "Data", "value": "\\x01\\x00\\x04\\x80`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x02\\x00L\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission" } ], "repeated": 0, "id": 121 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x00000248" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 122 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "ValueName", "value": "LegacyAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel" } ], "repeated": 0, "id": 123 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "ValueName", "value": "LegacyImpersonationLevel" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel" } ], "repeated": 0, "id": 124 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 125 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel" } ], "repeated": 0, "id": 126 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "RemoteServerName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RemoteServerName" } ], "repeated": 0, "id": 127 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "SRPTrustLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\SRPTrustLevel" } ], "repeated": 0, "id": 128 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "PreferredServerBitness" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\PreferredServerBitness" } ], "repeated": 0, "id": 129 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "LoadUserSettings" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LoadUserSettings" } ], "repeated": 0, "id": 130 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\x00\\xec\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00F\\x02\\x00\\x00\\x00\\x00\\x00\\x00PQ\\xe7w\\xfc\\x7f\\x00\\x00" } ], "repeated": 0, "id": 131 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000248" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 132 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000248" }, { "name": "SubKey", "value": "Software\\Classes" }, { "name": "Handle", "value": "0x0000024c" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 133 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" } ], "repeated": 0, "id": 134 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegNotifyChangeKeyValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\" }, { "name": "NotifyFilter", "value": "0x10000005" }, { "name": "WatchSubtree", "value": "1" }, { "name": "Asynchronous", "value": "1" } ], "repeated": 0, "id": 135 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000246" }, { "name": "ValueName", "value": "ProtectionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProtectionLevel" } ], "repeated": 0, "id": 136 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000246" } ], "repeated": 0, "id": 137 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 138 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 139 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 140 }, { "timestamp": "2026-05-28 22:03:01,848", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e73000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 141 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 142 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 143 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 144 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 145 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 146 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000238" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx" } ], "repeated": 0, "id": 147 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000238" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 148 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 149 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000238" }, { "name": "DesiredAccess", "value": "0x00020119", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|KEY_WOW64_64KEY|STANDARD_RIGHTS_REQUIRED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" } ], "repeated": 0, "id": 150 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000238" }, { "name": "ValueName", "value": "AllowDevelopmentWithoutDevLicense" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense" } ], "repeated": 0, "id": 151 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 152 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 153 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlRegisterFeatureConfigurationChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77fd93b0" } ], "repeated": 0, "id": 154 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "NtQueryWnfStateData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7806fc40" } ], "repeated": 0, "id": 155 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlSubscribeWnfStateChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78012460" } ], "repeated": 0, "id": 156 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDisownModuleHeapAllocation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7804fa30" } ], "repeated": 0, "id": 157 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlQueryFeatureConfiguration" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc7802cbd0" } ], "repeated": 0, "id": 158 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e75000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 159 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000238" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 160 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000238" }, { "name": "ValueName", "value": "RaiseActivationAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel" } ], "repeated": 0, "id": 161 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 162 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000238" } ], "repeated": 0, "id": 163 }, { "timestamp": "2026-05-28 22:03:01,863", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 164 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 165 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xea\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\\xc0\\xd93\\xfc\\x7f\\x00\\x00\\xa0\\xbd\\xd93\\xfc\\x7f\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xffP\\xeb\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\xc0\\xd93" } ], "repeated": 0, "id": 166 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\User\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes" } ], "repeated": 0, "id": 167 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000238" } ], "repeated": 0, "id": 168 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000252" }, { "name": "SubKey", "value": "AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x0000023a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 169 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000023a" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel" } ], "repeated": 0, "id": 170 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE\\AppCompat" }, { "name": "Handle", "value": "0x00000254" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat" } ], "repeated": 0, "id": 171 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x00000254" }, { "name": "ValueName", "value": "RaiseDefaultAuthnLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel" } ], "repeated": 0, "id": 172 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 173 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023a" }, { "name": "ValueName", "value": "AccessPermission" }, { "name": "Data", "value": "\\x01\\x00\\x04\\x80\\\\x00\\x00\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x02\\x00H\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x03\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AccessPermission" } ], "repeated": 0, "id": 174 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000023a" } ], "repeated": 0, "id": 175 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xf0\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xa6Cnu\\xfc\\x7f\\x00\\x000\\xe1\\x13\\x927L\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 176 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 177 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 178 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 179 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000254" } ], "repeated": 0, "id": 180 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 181 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 182 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\rpcss.dll" }, { "name": "ModuleHandle", "value": "0x1f326cad2c4" } ], "repeated": 0, "id": 183 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 184 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x000025f4" }, { "name": "EventName", "value": "MSFT.VSA.COM.DISABLE.9716" } ], "repeated": 0, "id": 185 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "synchronization", "api": "NtOpenEvent", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "Handle", "value": "0x00000000" }, { "name": "EventName", "value": "MSFT.VSA.IEC.STATUS.6c736db0" } ], "repeated": 0, "id": 186 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e76000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 187 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e77000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 188 }, { "timestamp": "2026-05-28 22:03:01,879", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000252" }, { "name": "SubKey", "value": "Interface\\{00000134-0000-0000-C000-000000000046}" }, { "name": "Handle", "value": "0x00000262" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}" } ], "repeated": 0, "id": 189 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000262" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x00000266" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32" } ], "repeated": 0, "id": 190 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000266" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{00000320-0000-0000-C000-000000000046}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 191 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000266" } ], "repeated": 0, "id": 192 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000262" } ], "repeated": 0, "id": 193 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Rpc\\Extensions" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions" } ], "repeated": 0, "id": 194 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000260" }, { "name": "ValueName", "value": "NdrOleExtDLL" }, { "name": "Type", "value": "2", "pretty_value": "REG_EXPAND_SZ" }, { "name": "Information", "value": "combase.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL" } ], "repeated": 0, "id": 195 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 196 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 197 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "NdrOleInitializeExtension" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c44240" } ], "repeated": 0, "id": 198 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77beb0b0" } ], "repeated": 0, "id": 199 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77be8b50" } ], "repeated": 0, "id": 200 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c19780" } ], "repeated": 0, "id": 201 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c22e80" } ], "repeated": 0, "id": 202 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c21b70" } ], "repeated": 0, "id": 203 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9a420" } ], "repeated": 0, "id": 204 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9e790" } ], "repeated": 0, "id": 205 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 206 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000260" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 207 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000264" } ], "repeated": 0, "id": 208 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 209 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x88)\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00w\\x00s\\x00\\\\x00S\\x00Y\\x00S\\x00T\\x00E\\x00M\\x003\\x002\\x00\\\\x00k\\x00e\\x00r\\x00n\\x00e\\x00l\\x00.\\x00a\\x00p\\x00p\\x00c\\x00o\\x00r\\x00e\\x00" } ], "repeated": 0, "id": 210 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0)\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 211 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 212 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xf8\\x1e\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 213 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 214 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8,\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 215 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xa0\\xd7\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x10\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x08\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xd8\\xe5\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xf8\\xe5\\xfd\\x1a" } ], "repeated": 0, "id": 216 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0,\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xf8\\xe3\\xfd\\x1a\\x9b\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 217 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 218 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8-\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 219 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P*\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 220 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 221 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x18\\x1a\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 222 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 223 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x08.\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 224 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xc0\\xd3\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00p\\xe2\\xfd\\x1a\\x9b\\x00\\x00\\x00h\\xe2\\xfd\\x1a\\x9b\\x00\\x00\\x008\\xe2\\xfd\\x1a\\x9b\\x00\\x00\\x00X\\xe2\\xfd\\x1a" } ], "repeated": 0, "id": 225 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00X\\xe0\\xfd\\x1a\\x9b\\x00\\x00\\x00d\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 226 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000260" } ], "repeated": 0, "id": 227 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 228 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 229 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 230 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000268" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x1f324e66e20" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "3116" }, { "name": "ProcessId", "value": "9716" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 231 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x00000268", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x1f324e66e20" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "3116" }, { "name": "ProcessId", "value": "9716" } ], "repeated": 0, "id": 232 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 233 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 234 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 235 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000270" } ], "repeated": 0, "id": 236 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 237 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "H*\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 238 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xd0.\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 239 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 240 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "x\\x1d\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 241 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 242 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8)\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 243 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00P\\xeb\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xe0\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xd8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xa8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xc8\\xe9\\xfd\\x1a" } ], "repeated": 0, "id": 244 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0)\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xc8\\xe7\\xfd\\x1a\\x9b\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 245 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 246 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8,\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05" } ], "repeated": 0, "id": 247 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0-\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 248 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 249 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "8\\x1b\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 250 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 251 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x08.\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 252 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xf0\\xd7\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00@\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x008\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x08\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00(\\xe6\\xfd\\x1a" } ], "repeated": 0, "id": 253 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00.\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00(\\xe4\\xfd\\x1a\\x9b\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 254 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 255 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 256 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e79000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 258 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000270" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 259 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000268" } ], "repeated": 0, "id": 260 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 261 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8,\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05" } ], "repeated": 0, "id": 262 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xf0)\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 263 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 264 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x18\\x1a\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 265 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 266 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "H*\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 267 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00P\\xeb\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xe0\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xd8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xa8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xc8\\xe9\\xfd\\x1a" } ], "repeated": 0, "id": 268 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@*\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xc8\\xe7\\xfd\\x1a\\x9b\\x00\\x00\\x00h\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 269 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 270 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8-\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 271 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10.\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 272 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 273 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xf8\\x1e\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 274 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 275 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "h.\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 276 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xf0\\xd7\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00@\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x008\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x08\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00(\\xe6\\xfd\\x1a" } ], "repeated": 0, "id": 277 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`.\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00(\\xe4\\xfd\\x1a\\x9b\\x00\\x00\\x00h\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 278 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 279 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 280 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 281 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000268" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 282 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000270" } ], "repeated": 0, "id": 283 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 284 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8)\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05" } ], "repeated": 0, "id": 285 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "P*\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 286 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 287 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "H\\x1a\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 288 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 289 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8,\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 290 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00P\\xeb\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xe0\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xd8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xa8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xc8\\xe9\\xfd\\x1a" } ], "repeated": 0, "id": 291 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0,\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xc8\\xe7\\xfd\\x1a\\x9b\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 292 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 293 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xa8-\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 294 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10.\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 295 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 296 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x19\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 297 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 298 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "h.\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 299 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xf0\\xd7\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00@\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x008\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x08\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00(\\xe6\\xfd\\x1a" } ], "repeated": 0, "id": 300 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00`.\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00(\\xe4\\xfd\\x1a\\x9b\\x00\\x00\\x00p\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 301 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 302 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 303 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 304 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x00000270" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 305 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000268" } ], "repeated": 0, "id": 306 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 307 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xe8)\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05" } ], "repeated": 0, "id": 308 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xb0-\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 309 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 310 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\x1e\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 311 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 312 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "H*\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 313 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00P\\xeb\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xe0\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xd8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xa8\\xe9\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xc8\\xe9\\xfd\\x1a" } ], "repeated": 0, "id": 314 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00@*\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xc8\\xe7\\xfd\\x1a\\x9b\\x00\\x00\\x00h\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 315 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 316 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xc8.\\xe6$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 317 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\x10.\\xe6$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 318 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 319 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\x1b\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 320 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 321 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xe8,\\xe6$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 322 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xf0\\xd7\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00@\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x008\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x08\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00(\\xe6\\xfd\\x1a" } ], "repeated": 0, "id": 323 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0,\\xe6$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00(\\xe4\\xfd\\x1a\\x9b\\x00\\x00\\x00h\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 324 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000270" } ], "repeated": 0, "id": 325 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000268" } ], "repeated": 0, "id": 326 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 327 }, { "timestamp": "2026-05-28 22:03:01,894", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e7a000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 328 }, { "timestamp": "2026-05-28 22:03:01,910", "thread_id": "3116", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 329 }, { "timestamp": "2026-05-28 22:03:01,910", "thread_id": "3116", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x1f324e66e20" } ], "repeated": 0, "id": 330 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "6264", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 331 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "6264", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x1f324e40b50" } ], "repeated": 0, "id": 332 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "6264", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000027c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 333 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "6264", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e7c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 334 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "6264", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e7e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 335 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 336 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x0000028c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x1f324e672e0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "5468" }, { "name": "ProcessId", "value": "9716" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 337 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000028c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x1f324e672e0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "5468" }, { "name": "ProcessId", "value": "9716" } ], "repeated": 0, "id": 338 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000028c" } ], "repeated": 0, "id": 339 }, { "timestamp": "2026-05-28 22:03:01,926", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 340 }, { "timestamp": "2026-05-28 22:03:01,941", "thread_id": "5468", "caller": "0x7ffc7802eb32", "parentcaller": "0x7ffc77fe77c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 1, "id": 341 }, { "timestamp": "2026-05-28 22:03:01,941", "thread_id": "5468", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 342 }, { "timestamp": "2026-05-28 22:03:01,941", "thread_id": "5468", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c12d30" }, { "name": "Parameter", "value": "0x1f324e672e0" } ], "repeated": 0, "id": 343 }, { "timestamp": "2026-05-28 22:03:01,941", "thread_id": "5468", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 344 }, { "timestamp": "2026-05-28 22:03:01,941", "thread_id": "5468", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 345 }, { "timestamp": "2026-05-28 22:03:01,941", "thread_id": "5468", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc762c2b57", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ffc730a0000" } ], "repeated": 0, "id": 346 }, { "timestamp": "2026-05-28 22:03:01,957", "thread_id": "3340", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 347 }, { "timestamp": "2026-05-28 22:03:01,957", "thread_id": "3340", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x1f324e40b50" } ], "repeated": 0, "id": 348 }, { "timestamp": "2026-05-28 22:03:02,019", "thread_id": "5468", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc762c2b57", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ffc730a0000" } ], "repeated": 0, "id": 349 }, { "timestamp": "2026-05-28 22:03:02,019", "thread_id": "5468", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc762c2b57", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc730a0000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "dwFlags", "value": "0x00000008" } ], "repeated": 0, "id": 350 }, { "timestamp": "2026-05-28 22:03:02,019", "thread_id": "5468", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc762c2bbb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ffc730a0000" }, { "name": "FunctionName", "value": "ThemeInitApiHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc730acde0" } ], "repeated": 0, "id": 351 }, { "timestamp": "2026-05-28 22:03:02,019", "thread_id": "5468", "caller": "0x7ffc730ace20", "parentcaller": "0x7ffc762c2d8c", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 352 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc77fe67b5", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xc0\\xe9\\xbf\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 353 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc77fe67ec", "parentcaller": "0x7ffc756c5140", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000029c" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 354 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000029c" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 355 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc756e3f76", "parentcaller": "0x7ffc75764fd4", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002a4" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000029c" }, { "name": "ObjectAttributesName", "value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize" } ], "repeated": 0, "id": 356 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc756e2fe4", "parentcaller": "0x7ffc730dd921", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "AppsUseLightTheme" }, { "name": "Data", "value": "1" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme" } ], "repeated": 0, "id": 357 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc756e3018", "parentcaller": "0x7ffc730dd921", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 358 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc730ad96c", "parentcaller": "0x7ffc730ad1d1", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000029c" } ], "repeated": 0, "id": 359 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002a8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 360 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e80000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 361 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 362 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002ac" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 363 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002b0" } ], "repeated": 0, "id": 364 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 365 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xd8\\x0c\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 366 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "@\r\\xe8$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 367 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 368 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\x98\\x1e\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 369 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 370 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\r\\xe8$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 371 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00p\\xe9Q\\x937L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xc0\\xeb\\xbf\\x1b\\x9b\\x00\\x00\\x00\\xb8\\xeb\\xbf\\x1b\\x9b\\x00\\x00\\x00\\x88\\xeb\\xbf\\x1b\\x9b\\x00\\x00\\x00\\xa8\\xeb\\xbf\\x1b" } ], "repeated": 0, "id": 372 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\r\\xe8$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xa8\\xe9\\xbf\\x1b\\x9b\\x00\\x00\\x00\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 373 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 374 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\x08\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 375 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xc0\\x08\\xe8$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 376 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 377 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "(\\x19\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 378 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 379 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\r\\xe8$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 380 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x90\\xd5Q\\x937L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00 \\xe8\\xbf\\x1b\\x9b\\x00\\x00\\x00\\x18\\xe8\\xbf\\x1b\\x9b\\x00\\x00\\x00\\xe8\\xe7\\xbf\\x1b\\x9b\\x00\\x00\\x00\\x08\\xe8\\xbf\\x1b" } ], "repeated": 0, "id": 381 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\r\\xe8$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x08\\xe6\\xbf\\x1b\\x9b\\x00\\x00\\x00\\xb0\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 382 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 383 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 384 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "5468", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e82000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 385 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 386 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x000002b0" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 387 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002ac" } ], "repeated": 0, "id": 388 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 389 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "x\t\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 390 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\\x06\\xe8$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 391 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 392 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "h\\x1b\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 393 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 394 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8\\x07\\xe8$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 395 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\x80\\xd4\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x000\\xe7\\xfd\\x1a\\x9b\\x00\\x00\\x00(\\xe7\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xf8\\xe6\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x18\\xe7\\xfd\\x1a" } ], "repeated": 0, "id": 396 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x07\\xe8$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\x18\\xe5\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xac\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 397 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 398 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "X\\x02\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 399 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "\\xe0\t\\xe8$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 400 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 401 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "x\\x1d\\xe7$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 402 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 403 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\x98\\x07\\xe8$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 404 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00 \\xd1\\x13\\x927L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\x90\\xe3\\xfd\\x1a\\x9b\\x00\\x00\\x00\\x88\\xe3\\xfd\\x1a\\x9b\\x00\\x00\\x00X\\xe3\\xfd\\x1a\\x9b\\x00\\x00\\x00x\\xe3\\xfd\\x1a" } ], "repeated": 0, "id": 405 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\x07\\xe8$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00x\\xe1\\xfd\\x1a\\x9b\\x00\\x00\\x00\\xac\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 406 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b0" } ], "repeated": 0, "id": 407 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 408 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ffc77c57db0" }, { "name": "Parameter", "value": "0x1f324e71250" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "440" }, { "name": "ProcessId", "value": "9716" }, { "name": "Module", "value": "combase.dll" } ], "repeated": 0, "id": 409 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002ac", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc77c57db0" }, { "name": "Parameter", "value": "0x1f324e71250" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "440" }, { "name": "ProcessId", "value": "9716" } ], "repeated": 0, "id": 410 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 411 }, { "timestamp": "2026-05-28 22:03:02,035", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" }, { "name": "Milliseconds", "value": "20000" } ], "repeated": 0, "id": 412 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "440", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 413 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "440", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc77c57db0" }, { "name": "Parameter", "value": "0x1f324e71250" } ], "repeated": 0, "id": 414 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "440", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c57dc9", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 415 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "440", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c57dc9", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000021c" }, { "name": "Milliseconds", "value": "30000" } ], "repeated": 0, "id": 416 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "440", "caller": "0x7ffc7802467e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "440" } ], "repeated": 0, "id": 417 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "440", "caller": "0x7ffc7802469e", "parentcaller": "0x7ffc7604734d", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 418 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 419 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 420 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "3340", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002b4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 421 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc77b98ce0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\x80\\xe9\\x0b\\x00\\x00\\x00\\x00\\x00\\xe4\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x90\\xebL\\xb6&u \\x06\\x02\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x90\\x0f\\x00\\x00\n\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xfc\\x9c\\x0b\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 422 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77b98c8a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 423 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77c1d427", "parentcaller": "0x7ffc77b93d82", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x1f324e42148", "arguments": [ { "name": "CommandLine", "value": "C:\\Windows\\system32\\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 424 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e84000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 425 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77c442bf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77beb0b0" } ], "repeated": 0, "id": 426 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77c442e9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77be8b50" } ], "repeated": 0, "id": 427 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77c44313", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "StringFromIID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c19780" } ], "repeated": 0, "id": 428 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77c4433d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c22e80" } ], "repeated": 0, "id": 429 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77c44367", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoTaskMemFree" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77c21b70" } ], "repeated": 0, "id": 430 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77c44391", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoCreateInstance" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9a420" } ], "repeated": 0, "id": 431 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77c443bb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9e790" } ], "repeated": 0, "id": 432 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77c441cf", "parentcaller": "0x7ffc780138c0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 433 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e54eb", "parentcaller": "0x7ffc77bcb0ca", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 434 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 435 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x000002ca" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 436 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 437 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 438 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "@\\xcb\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xca\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00@\\xcc\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 439 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs" } ], "repeated": 0, "id": 440 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 441 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ca" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs" } ], "repeated": 0, "id": 442 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 443 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ca" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 444 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ca" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 445 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ca" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Delivery Optimization User Class" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 446 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002ca" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002ce" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocServer32" } ], "repeated": 0, "id": 447 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 448 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 449 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc75704aa9", "parentcaller": "0x7ffc756e31c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\domgmt.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 450 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 451 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ce" } ], "repeated": 0, "id": 452 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 453 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 454 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xc9\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xca\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\xd0\\xca\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 455 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32" } ], "repeated": 0, "id": 456 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 457 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ca" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32" } ], "repeated": 0, "id": 458 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 459 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 460 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd0\\xc9\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xca\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\xd0\\xca\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 461 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler" } ], "repeated": 0, "id": 462 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002ca" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 463 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002ca" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler" } ], "repeated": 0, "id": 464 }, { "timestamp": "2026-05-28 22:03:02,066", "thread_id": "6264", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ca" } ], "repeated": 0, "id": 465 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c194b2", "parentcaller": "0x7ffc77c054b4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000002d0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 466 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c194ea", "parentcaller": "0x7ffc77c054b4", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d0" }, { "name": "ValueName", "value": "MaxSxSHashCount" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount" } ], "repeated": 0, "id": 467 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c19503", "parentcaller": "0x7ffc77c054b4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 468 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x000002d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 469 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 470 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 471 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xe0\\xc9\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\xe0\\xca\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 472 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs" } ], "repeated": 0, "id": 473 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 474 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002d2" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs" } ], "repeated": 0, "id": 475 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 476 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 477 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 478 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Delivery Optimization User Class" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 479 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002d6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocServer32" } ], "repeated": 0, "id": 480 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 481 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 482 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc75704aa9", "parentcaller": "0x7ffc756e31c6", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "%SystemRoot%\\system32\\domgmt.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)" } ], "repeated": 1, "id": 483 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 484 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" } ], "repeated": 0, "id": 485 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 486 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 487 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xc8\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00p\\xc9\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 488 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32" } ], "repeated": 0, "id": 489 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 490 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002d2" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32" } ], "repeated": 0, "id": 491 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 492 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 493 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "p\\xc8\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00p\\xc9\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 494 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler" } ], "repeated": 0, "id": 495 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 496 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002d2" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler" } ], "repeated": 0, "id": 497 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalServer32" } ], "repeated": 0, "id": 498 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" }, { "name": "ValueName", "value": "AppID" }, { "name": "Data", "value": "{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppID" } ], "repeated": 0, "id": 499 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c45483", "parentcaller": "0x7ffc77bc4bdc", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x000002d6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 500 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77bc4c07", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d6" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 501 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 502 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "3228", "caller": "0x7ffc7804507d", "parentcaller": "0x7ffc78044c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 503 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "Delivery Optimization User" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)" } ], "repeated": 0, "id": 504 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "3228", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x7ffc78022b30" }, { "name": "Parameter", "value": "0x1f324e40b50" } ], "repeated": 0, "id": 505 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "LocalService" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalService" } ], "repeated": 0, "id": 506 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate" } ], "repeated": 0, "id": 507 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "DllSurrogate" }, { "name": "Data", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate" } ], "repeated": 0, "id": 508 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba9bff", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "RunAs" }, { "name": "Data", "value": "Interactive User" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RunAs" } ], "repeated": 0, "id": 509 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba9d1a", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "ActivateAtStorage" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateAtStorage" } ], "repeated": 0, "id": 510 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba9e39", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x000002da" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 511 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba9e8d", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "ROTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ROTFlags" } ], "repeated": 0, "id": 512 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba9ee0", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "AppIDFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppIDFlags" } ], "repeated": 0, "id": 513 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba9f30", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "MGOTFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\MGOTFlags" } ], "repeated": 0, "id": 514 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba9f84", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002da" }, { "name": "ValueName", "value": "ProcessMitigationPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProcessMitigationPolicy" } ], "repeated": 0, "id": 515 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba9fa7", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002da" } ], "repeated": 0, "id": 516 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c39058", "parentcaller": "0x7ffc77ba9fcb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission" } ], "repeated": 0, "id": 517 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c390d0", "parentcaller": "0x7ffc77ba9fcb", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "LaunchPermission" }, { "name": "Data", "value": "\\x01\\x00\\x04\\x80`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x02\\x00L\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission" } ], "repeated": 0, "id": 518 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa010", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "Software\\Microsoft\\OLE" }, { "name": "Handle", "value": "0x000002d8" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE" } ], "repeated": 0, "id": 519 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa052", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "ValueName", "value": "LegacyAuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel" } ], "repeated": 0, "id": 520 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa0a5", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" }, { "name": "ValueName", "value": "LegacyImpersonationLevel" }, { "name": "Data", "value": "2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel" } ], "repeated": 0, "id": 521 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa0de", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 522 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa123", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "AuthenticationLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel" } ], "repeated": 0, "id": 523 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "RemoteServerName" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RemoteServerName" } ], "repeated": 0, "id": 524 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa1c8", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "SRPTrustLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\SRPTrustLevel" } ], "repeated": 0, "id": 525 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa227", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "PreferredServerBitness" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\PreferredServerBitness" } ], "repeated": 0, "id": 526 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa28a", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "LoadUserSettings" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LoadUserSettings" } ], "repeated": 0, "id": 527 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baa318", "parentcaller": "0x7ffc77bc4dd5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x000002d6" }, { "name": "ValueName", "value": "ProtectionLevel" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProtectionLevel" } ], "repeated": 0, "id": 528 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77bc4e2a", "parentcaller": "0x7ffc77baa9ba", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" } ], "repeated": 0, "id": 529 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c4450c", "parentcaller": "0x7ffc77baaa90", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x000002d6" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocServer32" } ], "repeated": 0, "id": 530 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c44529", "parentcaller": "0x7ffc77baaa90", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" } ], "repeated": 0, "id": 531 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756dddf0", "parentcaller": "0x7ffc77c44a29", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 532 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756dde10", "parentcaller": "0x7ffc77c44a29", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 533 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 534 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 535 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xb0\\xc7\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00\\xd2\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\xb0\\xc8\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 536 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalServer" } ], "repeated": 0, "id": 537 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002d2" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 538 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000002d2" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalServer" } ], "repeated": 0, "id": 539 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x000002d6" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 540 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002d6" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\Elevation" } ], "repeated": 0, "id": 541 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d6" } ], "repeated": 0, "id": 542 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" } ], "repeated": 0, "id": 543 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000252" }, { "name": "SubKey", "value": "CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" }, { "name": "Handle", "value": "0x000002d2" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } ], "repeated": 0, "id": 544 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x000002d2" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs" } ], "repeated": 0, "id": 545 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d2" } ], "repeated": 0, "id": 546 }, { "timestamp": "2026-05-28 22:03:02,082", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\logoncli" }, { "name": "DllBase", "value": "0x7ffc74ba0000" } ], "repeated": 0, "id": 547 }, { "timestamp": "2026-05-28 22:03:02,176", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\netutils" }, { "name": "DllBase", "value": "0x7ffc74b80000" } ], "repeated": 0, "id": 548 }, { "timestamp": "2026-05-28 22:03:02,207", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dhcpcsvc" }, { "name": "DllBase", "value": "0x7ffc6e0a0000" } ], "repeated": 0, "id": 549 }, { "timestamp": "2026-05-28 22:03:02,223", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\WINHTTP" }, { "name": "DllBase", "value": "0x7ffc707b0000" } ], "repeated": 0, "id": 550 }, { "timestamp": "2026-05-28 22:03:02,223", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 9, "id": 551 }, { "timestamp": "2026-05-28 22:03:02,269", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ffc747f0000" } ], "repeated": 0, "id": 552 }, { "timestamp": "2026-05-28 22:03:02,316", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 553 }, { "timestamp": "2026-05-28 22:03:02,316", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 554 }, { "timestamp": "2026-05-28 22:03:02,394", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\IPHLPAPI" }, { "name": "DllBase", "value": "0x7ffc74a70000" } ], "repeated": 0, "id": 555 }, { "timestamp": "2026-05-28 22:03:02,394", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 556 }, { "timestamp": "2026-05-28 22:03:02,410", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\USERENV" }, { "name": "DllBase", "value": "0x7ffc75560000" } ], "repeated": 0, "id": 557 }, { "timestamp": "2026-05-28 22:03:02,441", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\profapi" }, { "name": "DllBase", "value": "0x7ffc755e0000" } ], "repeated": 0, "id": 558 }, { "timestamp": "2026-05-28 22:03:02,488", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\XmlLite" }, { "name": "DllBase", "value": "0x7ffc711f0000" } ], "repeated": 0, "id": 559 }, { "timestamp": "2026-05-28 22:03:02,613", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\DNSAPI" }, { "name": "DllBase", "value": "0x7ffc74ab0000" } ], "repeated": 0, "id": 560 }, { "timestamp": "2026-05-28 22:03:02,613", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 561 }, { "timestamp": "2026-05-28 22:03:02,644", "thread_id": "6264", "caller": "0x7ffc78037cc6", "parentcaller": "0x7ffc7800ddf7", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\domgmt" }, { "name": "DllBase", "value": "0x7ffc1a000000" } ], "repeated": 0, "id": 562 }, { "timestamp": "2026-05-28 22:03:02,676", "thread_id": "6264", "caller": "0x7ffc75745db3", "parentcaller": "0x7ffc74a78adc", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 563 }, { "timestamp": "2026-05-28 22:03:02,676", "thread_id": "6264", "caller": "0x7ffc75745db3", "parentcaller": "0x7ffc74a78adc", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\NSI" }, { "name": "DllBase", "value": "0x7ffc771d0000" } ], "repeated": 0, "id": 564 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\domgmt.dll" }, { "name": "BaseAddress", "value": "0x7ffc1a000000" } ], "repeated": 0, "id": 565 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc1a000000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\system32\\domgmt.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 566 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "domgmt.dll" }, { "name": "ModuleHandle", "value": "0x7ffc1a000000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc1a00e9d0" } ], "repeated": 0, "id": 567 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "domgmt.dll" }, { "name": "ModuleHandle", "value": "0x7ffc1a000000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 568 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "domgmt.dll" }, { "name": "ModuleHandle", "value": "0x7ffc1a000000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc1a00eb40" } ], "repeated": 0, "id": 569 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc77bb0e64", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" } ], "repeated": 0, "id": 570 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0e82", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoGetMarshalSizeMax" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77bdc590" } ], "repeated": 0, "id": 571 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0e9f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoMarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77beb0b0" } ], "repeated": 0, "id": 572 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0ebc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoUnmarshalInterface" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77be8b50" } ], "repeated": 0, "id": 573 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bb0ed9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "combase.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77b70000" }, { "name": "FunctionName", "value": "CoReleaseMarshalData" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc77b9e790" } ], "repeated": 0, "id": 574 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77c1fbe4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000252" }, { "name": "SubKey", "value": "Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}" }, { "name": "Handle", "value": "0x0000032e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}" } ], "repeated": 0, "id": 575 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77c1fa51", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000032e" }, { "name": "SubKey", "value": "ProxyStubClsid32" }, { "name": "Handle", "value": "0x0000032a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}\\ProxyStubClsid32" } ], "repeated": 0, "id": 576 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77c1fa8c", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}\\ProxyStubClsid32\\(Default)" } ], "repeated": 0, "id": 577 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77c1fad3", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" } ], "repeated": 0, "id": 578 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77c1fae4", "parentcaller": "0x7ffc77be42ab", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" } ], "repeated": 0, "id": 579 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "Handle", "value": "0x0000032e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" } ], "repeated": 0, "id": 580 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 581 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 582 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xa0\\xbc\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\xa0\\xbd\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 583 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs" } ], "repeated": 0, "id": 584 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 585 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs" } ], "repeated": 0, "id": 586 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 587 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000032e" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 588 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)" } ], "repeated": 0, "id": 589 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)" } ], "repeated": 0, "id": 590 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000032e" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000032a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32" } ], "repeated": 0, "id": 591 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 592 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 593 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 594 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 595 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" } ], "repeated": 0, "id": 596 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 597 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 598 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xbb\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x000\\xbc\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 599 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32" } ], "repeated": 0, "id": 600 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 601 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32" } ], "repeated": 0, "id": 602 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 603 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 604 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xbb\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x000\\xbc\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 605 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler" } ], "repeated": 0, "id": 606 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 607 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler" } ], "repeated": 0, "id": 608 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" } ], "repeated": 0, "id": 609 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 610 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 611 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba7b74", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "Handle", "value": "0x0000032e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" } ], "repeated": 0, "id": 612 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 613 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 614 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "`\\xb9\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00`\\xba\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 615 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs" } ], "repeated": 0, "id": 616 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 617 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "TreatAs" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs" } ], "repeated": 0, "id": 618 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77c322e1", "parentcaller": "0x7ffc77ba7c1d", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 619 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba81f5", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000032e" }, { "name": "ValueName", "value": "ActivateOnHostFlags" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\ActivateOnHostFlags" } ], "repeated": 0, "id": 620 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)" } ], "repeated": 0, "id": 621 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "PSFactoryBuffer" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)" } ], "repeated": 0, "id": 622 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba8485", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x0000032e" }, { "name": "SubKey", "value": "InprocServer32" }, { "name": "Handle", "value": "0x0000032a" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32" } ], "repeated": 0, "id": 623 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "InprocServer32" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\InprocServer32" } ], "repeated": 0, "id": 624 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba870d", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 625 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba87bc", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "" }, { "name": "Data", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)" } ], "repeated": 0, "id": 626 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77ba8d32", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" }, { "name": "ValueName", "value": "ThreadingModel" }, { "name": "Data", "value": "Both" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\ThreadingModel" } ], "repeated": 0, "id": 627 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba855f", "parentcaller": "0x7ffc77ba829e", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" } ], "repeated": 0, "id": 628 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 629 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 630 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xb7\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\xf0\\xb8\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 631 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32" } ], "repeated": 0, "id": 632 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 633 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "InprocHandler32" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32" } ], "repeated": 0, "id": 634 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 635 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 636 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xf0\\xb7\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x00\\xf0\\xb8\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 637 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler" } ], "repeated": 0, "id": 638 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 639 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "InprocHandler" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler" } ], "repeated": 0, "id": 640 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77baab08", "parentcaller": "0x7ffc77baa7d9", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000032e" }, { "name": "SubKey", "value": "LocalServer32" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\LocalServer32" } ], "repeated": 0, "id": 641 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2e92", "parentcaller": "0x7ffc77baa825", "category": "registry", "api": "RegQueryValueExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Handle", "value": "0x0000032e" }, { "name": "ValueName", "value": "AppID" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\AppID" } ], "repeated": 0, "id": 642 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e45a7", "parentcaller": "0x7ffc756e0705", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "KeyInformationClass", "value": "3" } ], "repeated": 0, "id": 643 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e2314", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 644 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc78006c8b", "parentcaller": "0x7ffc756e23a0", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "0\\xb7\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfc\\x7f\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\xe9\\x03\\x00\\x00\\xfc\\x7f\\x00\\x00\\xb8\\xcf\\xd93\\xfc\\x7f\\x00\\x00.\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xd2\\xd93\\xfc\\x7f\\x00\\x00\\x04\\x00\\x00\\x00\\x9b\\x00\\x00\\x000\\xb8\\x9f\\x1b\\x9b\\x00\\x00\\x00" } ], "repeated": 0, "id": 645 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e24a8", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3968686040-3210279463-847977608-1001_Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\LocalServer" } ], "repeated": 0, "id": 646 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e40c4", "parentcaller": "0x7ffc756e25c4", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x0000032e" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 647 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e25e2", "parentcaller": "0x7ffc756e0732", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x0000032e" }, { "name": "ObjectAttributesName", "value": "LocalServer" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\LocalServer" } ], "repeated": 0, "id": 648 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77baad16", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000232" }, { "name": "SubKey", "value": "CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "Handle", "value": "0x0000032a" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" } ], "repeated": 0, "id": 649 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77baad4d", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000032a" }, { "name": "SubKey", "value": "Elevation" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\Elevation" } ], "repeated": 0, "id": 650 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77baadb1", "parentcaller": "0x7ffc77ba83b8", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032a" } ], "repeated": 0, "id": 651 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba8010", "parentcaller": "0x7ffc77ba53d4", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" } ], "repeated": 0, "id": 652 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba22bf", "parentcaller": "0x7ffc77ba25e9", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x00000252" }, { "name": "SubKey", "value": "CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" }, { "name": "Handle", "value": "0x0000032e" }, { "name": "FullName", "value": "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}" } ], "repeated": 0, "id": 653 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77c1f8f8", "parentcaller": "0x7ffc77ba213b", "category": "registry", "api": "RegOpenKeyExW", "status": false, "return": "0x00000002", "arguments": [ { "name": "Registry", "value": "0x0000032e" }, { "name": "SubKey", "value": "TreatAs" }, { "name": "Handle", "value": "0x00000000" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs" } ], "repeated": 0, "id": 654 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc77ba2160", "parentcaller": "0x7ffc77b99277", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032e" } ], "repeated": 0, "id": 655 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 656 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756d30ce", "parentcaller": "0x7ffc77c22cd1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000248" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 657 }, { "timestamp": "2026-05-28 22:03:02,754", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc66790000" } ], "repeated": 0, "id": 658 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" }, { "name": "BaseAddress", "value": "0x7ffc66790000" } ], "repeated": 0, "id": 659 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc77bc6b6d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffc66790000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" }, { "name": "dwFlags", "value": "0x00002008" } ], "repeated": 0, "id": 660 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6acf", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "OneCoreCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc66790000" }, { "name": "FunctionName", "value": "DllGetClassObject" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc66793830" } ], "repeated": 0, "id": 661 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6ae8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "OneCoreCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc66790000" }, { "name": "FunctionName", "value": "DllGetActivationFactory" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 662 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc756eac31", "parentcaller": "0x7ffc77bc6b08", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "OneCoreCommonProxyStub.dll" }, { "name": "ModuleHandle", "value": "0x7ffc66790000" }, { "name": "FunctionName", "value": "DllCanUnloadNow" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc66793890" } ], "repeated": 0, "id": 663 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 664 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc770b0cd1", "parentcaller": "0x7ffc770af28f", "category": "filesystem", "api": "NtOpenDirectoryObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "DirectoryHandle", "value": "0x0000032c" }, { "name": "DesiredAccess", "value": "0x00020001", "pretty_value": "FILE_READ_ACCESS|READ_CONTROL" }, { "name": "ObjectAttributes", "value": "C:\\RPC Control" } ], "repeated": 0, "id": 665 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc7572026b", "parentcaller": "0x7ffc770b0daf", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x00000328" } ], "repeated": 0, "id": 666 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc78049c4e", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 667 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\x98\n\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 668 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": "`\\x02\\xe8$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 669 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 670 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "H\\xad\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 671 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 672 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "\\xf8\r\\xe8$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 673 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00@\\xc8q\\x937L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00\\xf0\\xca\\x9f\\x1b\\x9b\\x00\\x00\\x00\\xe8\\xca\\x9f\\x1b\\x9b\\x00\\x00\\x00\\xb8\\xca\\x9f\\x1b\\x9b\\x00\\x00\\x00\\xd8\\xca\\x9f\\x1b" } ], "repeated": 0, "id": 674 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\r\\xe8$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x00\\xd8\\xc8\\x9f\\x1b\\x9b\\x00\\x00\\x00(\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 675 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78008cde", "parentcaller": "0x7ffc7800953a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\xdc\\xad\\x0b\\x00\\x00\\x00\\x00\\x00]Y\\x02\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\xbcY\\x02\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 676 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036e46", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "4" }, { "name": "TokenInformation", "value": "\\xb8\\x02\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 677 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036e9b", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "25" }, { "name": "TokenInformation", "value": " \\x03\\xe8$\\xf3\\x01\\x00\\x00`\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 678 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036ec0", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 679 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036f0e", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "5" }, { "name": "TokenInformation", "value": "\\xc8\\xae\\xe8$\\xf3\\x01\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00\\xd8W\\x8d\\xec'\\xfaX\\xbf\\x88\\x1c\\x8b2\\x01\\x02\\x00\\x00" } ], "repeated": 0, "id": 680 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036f37", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": false, "return": "0xffffffffc0000023", "pretty_return": "BUFFER_TOO_SMALL", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "" } ], "repeated": 0, "id": 681 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78036f8f", "parentcaller": "0x7ffc78008d8f", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "6" }, { "name": "TokenInformation", "value": "8\\x04\\xe8$\\xf3\\x01\\x00\\x00\\x02\\x00P\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x10\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x10\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\xa0\\x01\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7X\\x02\\x00" } ], "repeated": 0, "id": 682 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc78037048", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00X@\\xdd3\\xfc\\x7f\\x00\\x00\\xebP\\xb53\\xfc\\x7f\\x00\\x00\\xe0\\xb4q\\x937L\\x00\\x00(N\\xd93\\xfc\\x7f\\x00\\x00P\\xc7\\x9f\\x1b\\x9b\\x00\\x00\\x00H\\xc7\\x9f\\x1b\\x9b\\x00\\x00\\x00\\x18\\xc7\\x9f\\x1b\\x9b\\x00\\x00\\x008\\xc7\\x9f\\x1b" } ], "repeated": 0, "id": 683 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc7803707b", "parentcaller": "0x7ffc78036fa8", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "41" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x04\\xe8$\\xf3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xd8\\xb63\\xfc\\x7f\\x00\\x00#\\x00\\x00\\xc0\\x00\\x00\\x00\\x008\\xc5\\x9f\\x1b\\x9b\\x00\\x00\\x00(\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x9a\\x00\\x1f8\\xfc\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x86\\xa2\\xd93" } ], "repeated": 0, "id": 684 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e27", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000032c" } ], "repeated": 0, "id": 685 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "6264", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770b0e49", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000328" } ], "repeated": 0, "id": 686 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "3228", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000330" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 687 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "3340", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e90000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 688 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "3340", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc1a082000" }, { "name": "ModuleName", "value": "domgmt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 689 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "3340", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc1a082000" }, { "name": "ModuleName", "value": "domgmt.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 690 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "3340", "caller": "0x7ffc780067b9", "parentcaller": "0x7ffc7571ced6", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000334" } ], "repeated": 0, "id": 691 }, { "timestamp": "2026-05-28 22:03:02,785", "thread_id": "3340", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 692 }, { "timestamp": "2026-05-28 22:03:02,801", "thread_id": "3340", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 693 }, { "timestamp": "2026-05-28 22:03:02,801", "thread_id": "3340", "caller": "0x7ffc1a00e2ec", "parentcaller": "0x7ffc7711b583", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "5B99FA76-721C-423C-ADAC-56D03C8A8007" }, { "name": "ClsContext", "value": "0x00000004", "pretty_value": "CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "6692FD56-3B9B-433A-AC04-3FFB442556DD" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 694 }, { "timestamp": "2026-05-28 22:03:02,801", "thread_id": "3340", "caller": "0x7ffc78013f7a", "parentcaller": "0x7ffc770b0ed7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "29" }, { "name": "TokenInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 695 }, { "timestamp": "2026-05-28 22:03:02,816", "thread_id": "3340", "caller": "0x7ffc770e1630", "parentcaller": "0x7ffc770e12cd", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 696 }, { "timestamp": "2026-05-28 22:03:02,816", "thread_id": "3340", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 697 }, { "timestamp": "2026-05-28 22:03:02,816", "thread_id": "3340", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771be000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 698 }, { "timestamp": "2026-05-28 22:03:02,816", "thread_id": "3340", "caller": "0x7ffc770a7be3", "parentcaller": "0x7ffc770e15ab", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 1, "id": 699 }, { "timestamp": "2026-05-28 22:03:02,832", "thread_id": "9720", "caller": "0x7ff699df116a", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000220" }, { "name": "Milliseconds", "value": "5000" } ], "repeated": 0, "id": 700 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "windows", "api": "PostThreadMessageW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ProcessId", "value": "9716" }, { "name": "ThreadId", "value": "5468" }, { "name": "Message", "value": "1033" } ], "repeated": 0, "id": 701 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 0, "id": 702 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc756de76a", "parentcaller": "0x7ffc77b9ea0e", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 703 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc78017830", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 704 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc78017881", "parentcaller": "0x7ffc780020f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc77ea1000" }, { "name": "ModuleName", "value": "combase.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 705 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000284" } ], "repeated": 0, "id": 706 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000210" } ], "repeated": 0, "id": 707 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000218" } ], "repeated": 0, "id": 708 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000200" } ], "repeated": 0, "id": 709 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 710 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000264" } ], "repeated": 0, "id": 711 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c12ec5", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000344" } ], "repeated": 0, "id": 712 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc77b9cd6e", "parentcaller": "0x7ffc77c12ed4", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 713 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc77c14324", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000288" } ], "repeated": 0, "id": 714 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc7802467e", "parentcaller": "0x7ffc7572f79a", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "5468" } ], "repeated": 0, "id": 715 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc766a15b8", "parentcaller": "0x7ffc77fe9a1d", "category": "misc", "api": "GetKeyboardLayout", "status": true, "return": "0x04090409", "arguments": [ { "name": "KeyboardLayout", "value": "0x00000409" }, { "name": "LanguageName", "value": "English (United States)" } ], "repeated": 0, "id": 716 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770fe41e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 717 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc756e6785", "parentcaller": "0x7ffc770fe4e4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 718 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "5468", "caller": "0x7ffc7802469e", "parentcaller": "0x7ffc7572f79a", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 719 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000244" } ], "repeated": 0, "id": 720 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e6c000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 721 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f324e76000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 722 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSectionEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x1f326950000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Flags", "value": "0" } ], "repeated": 0, "id": 723 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 724 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000232" } ], "repeated": 0, "id": 725 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\OneCoreCommonProxyStub" }, { "name": "DllBase", "value": "0x7ffc66790000" } ], "repeated": 0, "id": 726 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc66790000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 727 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 728 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000022c" } ], "repeated": 0, "id": 729 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 730 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 731 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\domgmt" }, { "name": "DllBase", "value": "0x7ffc1a000000" } ], "repeated": 0, "id": 732 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 733 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 734 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d0" } ], "repeated": 0, "id": 735 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\logoncli" }, { "name": "DllBase", "value": "0x7ffc74ba0000" } ], "repeated": 0, "id": 736 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74ba0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 737 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\netutils" }, { "name": "DllBase", "value": "0x7ffc74b80000" } ], "repeated": 0, "id": 738 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74b80000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 739 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d4" } ], "repeated": 0, "id": 740 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\dhcpcsvc" }, { "name": "DllBase", "value": "0x7ffc6e0a0000" } ], "repeated": 0, "id": 741 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6e0a0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 742 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002d8" } ], "repeated": 0, "id": 743 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 744 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 745 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\WINHTTP" }, { "name": "DllBase", "value": "0x7ffc707b0000" } ], "repeated": 0, "id": 746 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc707b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 747 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002dc" } ], "repeated": 0, "id": 748 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e0" } ], "repeated": 0, "id": 749 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e4" } ], "repeated": 0, "id": 750 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002e8" } ], "repeated": 0, "id": 751 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ec" } ], "repeated": 0, "id": 752 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f0" } ], "repeated": 0, "id": 753 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f4" } ], "repeated": 0, "id": 754 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002f8" } ], "repeated": 0, "id": 755 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ffc747f0000" } ], "repeated": 0, "id": 756 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc747f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 757 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002fc" } ], "repeated": 0, "id": 758 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 759 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 760 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\shcore" }, { "name": "DllBase", "value": "0x7ffc775b0000" } ], "repeated": 0, "id": 761 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc775b0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 762 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000304" } ], "repeated": 0, "id": 763 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 764 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 765 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\USERENV" }, { "name": "DllBase", "value": "0x7ffc75560000" } ], "repeated": 0, "id": 766 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75560000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 767 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" } ], "repeated": 0, "id": 768 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77fd0000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffc78033410" } ], "repeated": 0, "id": 769 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\profapi" }, { "name": "DllBase", "value": "0x7ffc755e0000" } ], "repeated": 0, "id": 770 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc755e0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 771 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\XmlLite" }, { "name": "DllBase", "value": "0x7ffc711f0000" } ], "repeated": 0, "id": 772 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc711f0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 773 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000318" } ], "repeated": 0, "id": 774 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000320" } ], "repeated": 0, "id": 775 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000324" } ], "repeated": 0, "id": 776 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000314" } ], "repeated": 0, "id": 777 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000310" } ], "repeated": 0, "id": 778 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000030c" } ], "repeated": 0, "id": 779 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000308" } ], "repeated": 0, "id": 780 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\DNSAPI" }, { "name": "DllBase", "value": "0x7ffc74ab0000" } ], "repeated": 0, "id": 781 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 782 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\system32\\IPHLPAPI" }, { "name": "DllBase", "value": "0x7ffc74a70000" } ], "repeated": 0, "id": 783 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000031c" } ], "repeated": 0, "id": 784 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\System32\\NSI" }, { "name": "DllBase", "value": "0x7ffc771d0000" } ], "repeated": 0, "id": 785 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc771d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 786 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74a70000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 787 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc74ab0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 788 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc1a000000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 789 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1176", "parentcaller": "0x7ff699df1466", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "oleaut32.dll" }, { "name": "ModuleHandle", "value": "0x7ffc77330000" } ], "repeated": 0, "id": 790 }, { "timestamp": "2026-05-28 22:03:07,848", "thread_id": "9720", "caller": "0x7ff699df1193", "parentcaller": "0x7ff699df1466", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000000" } ], "repeated": 0, "id": 791 } ], "threads": [ "9720", "11128", "9948", "11028", "10576", "3116", "6264", "5468", "3340", "440", "3228" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff699df0000", "MainExeSize": "0x00009000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 9816, "process_name": "WmiPrvSE.exe", "parent_id": 740, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "first_seen": "2026-05-28 22:03:01,285", "calls": [ { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bca74", "parentcaller": "0x7ff6209bc74d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x7ffc76030000" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bca74", "parentcaller": "0x7ff6209bc74d", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000021c" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bca74", "parentcaller": "0x7ff6209bc74d", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000220" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2ef800000" }, { "name": "SectionOffset", "value": "0xda5719f270" }, { "name": "ViewSize", "value": "0x00338000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc96b", "parentcaller": "0x7ff6209bc762", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SystemResources\\USER32.dll.mun" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc96b", "parentcaller": "0x7ff6209bc762", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda49000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc99f", "parentcaller": "0x7ff6209bc762", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000001f0" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\en-US\\USER32.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc99f", "parentcaller": "0x7ff6209bc762", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000220" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2ee150000" }, { "name": "SectionOffset", "value": "0xda5719e6f0" }, { "name": "ViewSize", "value": "0x00005000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000220" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\rpcss.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000224" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb40000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00143000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb40000" }, { "name": "RegionSize", "value": "0x00143000" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\kernel.appcore.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc734b0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00012000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-05-28 22:03:01,598", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x7ffc734b0000" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-05-28 22:03:01,644", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000022c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc75fa0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-05-28 22:03:01,644", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffc75fa0000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2026-05-28 22:03:01,691", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000238" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-05-28 22:03:01,691", "thread_id": "9648", "caller": "0x7ff6209bc378", "parentcaller": "0x7ff6209bb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda4b000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 16 }, { "timestamp": "2026-05-28 22:03:01,691", "thread_id": "9264", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda51000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9648", "caller": "0x7ff6209bc5a5", "parentcaller": "0x7ff6209bb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda53000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9648", "caller": "0x7ff6209bc5a5", "parentcaller": "0x7ff6209bb501", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda54000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-05-28 22:03:01,707", "thread_id": "9648", "caller": "0x7ff6209bc60b", "parentcaller": "0x7ff6209bb501", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\clbcatq" }, { "name": "DllBase", "value": "0x7ffc765f0000" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc60b", "parentcaller": "0x7ff6209bb501", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000034B-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "0000015B-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc2ca", "parentcaller": "0x7ff6209bb513", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000270" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2ee180000" }, { "name": "SectionOffset", "value": "0xda5719f6a0" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1b9", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2ee027000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1b9", "parentcaller": "0x7ff6209bb518", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x2c2eda20150" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 9, "id": 24 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1b9", "parentcaller": "0x7ff6209bb518", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x0000028c", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ffc708c3ca0" }, { "name": "Parameter", "value": "0x2c2eda57760" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "10692" }, { "name": "ProcessId", "value": "9816" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb40000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb40000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda59000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 28 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb42000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb43000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda5a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 31 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda5b000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb46000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda5d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda5f000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-05-28 22:03:01,785", "thread_id": "9648", "caller": "0x7ff6209bc1ff", "parentcaller": "0x7ff6209bb518", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb4b000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-05-28 22:03:04,754", "thread_id": "9648", "caller": "0x7ff6209bb555", "parentcaller": "0x7ff6209bc77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemprox" }, { "name": "DllBase", "value": "0x7ffc61080000" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-05-28 22:03:04,832", "thread_id": "9648", "caller": "0x7ff6209bb555", "parentcaller": "0x7ff6209bc77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemprox.dll" }, { "name": "BaseAddress", "value": "0x7ffc61080000" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-05-28 22:03:04,832", "thread_id": "9648", "caller": "0x7ff6209bb555", "parentcaller": "0x7ff6209bc77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F811-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-05-28 22:03:04,848", "thread_id": "10112", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda6d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-05-28 22:03:04,848", "thread_id": "10112", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002c4" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-05-28 22:03:04,848", "thread_id": "10112", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda6e000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-05-28 22:03:04,879", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "0000032A-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000149-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-05-28 22:03:04,879", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-05-28 22:03:04,879", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wbemsvc" }, { "name": "DllBase", "value": "0x7ffc63bb0000" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-05-28 22:03:04,894", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemsvc.dll" }, { "name": "BaseAddress", "value": "0x7ffc63bb0000" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-05-28 22:03:04,894", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "com", "api": "CoCreateInstanceEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "8BC3F05E-D86B-11D0-A075-00C04FB68820" }, { "name": "ClsContext", "value": "0x00000014", "pretty_value": "CLSCTX_LOCAL_SERVER|CLSCTX_REMOTE_SERVER" }, { "name": "ServerName", "value": "" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-05-28 22:03:04,957", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\fastprox.dll" }, { "name": "BaseAddress", "value": "0x7ffc600a0000" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-05-28 22:03:04,957", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda74000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-05-28 22:03:04,957", "thread_id": "9648", "caller": "0x7ff6209bb5bc", "parentcaller": "0x7ff6209bc77a", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-05-28 22:03:04,973", "thread_id": "9648", "caller": "0x7ff6209bdafb", "parentcaller": "0x7ff6209bb615", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 2, "id": 51 }, { "timestamp": "2026-05-28 22:03:05,035", "thread_id": "9648", "caller": "0x7ff6209bb1d8", "parentcaller": "0x7ff6209bb33c", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002e8", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff6209bb120" }, { "name": "Parameter", "value": "0x2c2eda74c80" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "10192" }, { "name": "ProcessId", "value": "9816" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-05-28 22:03:05,035", "thread_id": "9648", "caller": "0x7ff6209ba124", "parentcaller": "0x7ff6209bb77b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda78000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-05-28 22:03:05,035", "thread_id": "10080", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000310" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-05-28 22:03:05,051", "thread_id": "10112", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda79000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-05-28 22:03:05,051", "thread_id": "10112", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-05-28 22:03:05,051", "thread_id": "10112", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda7d000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-05-28 22:03:05,066", "thread_id": "10208", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000031c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "10028", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda80000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "10028", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda81000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "10028", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000324" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "10028", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda84000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "10028", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "10028", "caller": "0x7ffc600caddd", "parentcaller": "0x7ffc600ca3b7", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 64 }, { "timestamp": "2026-05-28 22:03:05,113", "thread_id": "10028", "caller": "0x7ff6209bf038", "parentcaller": "0x00000000", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\wmiutils" }, { "name": "DllBase", "value": "0x7ffc708e0000" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-05-28 22:03:05,129", "thread_id": "10028", "caller": "0x7ff6209bf038", "parentcaller": "0x00000000", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wmiutils.dll" }, { "name": "BaseAddress", "value": "0x7ffc708e0000" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-05-28 22:03:05,129", "thread_id": "10028", "caller": "0x7ff6209bf038", "parentcaller": "0x00000000", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-05-28 22:03:05,129", "thread_id": "10028", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc77b96d2f", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x0000032c" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-05-28 22:03:05,129", "thread_id": "10208", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-05-28 22:03:05,129", "thread_id": "10208", "caller": "0x7ff6209b1cb2", "parentcaller": "0x7ff6209b1a68", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000334" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-05-28 22:03:05,160", "thread_id": "10208", "caller": "0x7ff6209b1cb2", "parentcaller": "0x7ff6209b1a68", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-05-28 22:03:05,160", "thread_id": "10208", "caller": "0x7ff6209b1cb2", "parentcaller": "0x7ff6209b1a68", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda8c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-05-28 22:03:05,316", "thread_id": "10208", "caller": "0x7ff6209b4e98", "parentcaller": "0x7ff6209b1ab3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda8d000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-05-28 22:03:05,316", "thread_id": "10208", "caller": "0x7ff6209b4e98", "parentcaller": "0x7ff6209b1ab3", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-05-28 22:03:05,316", "thread_id": "10208", "caller": "0x7ff6209b56cb", "parentcaller": "0x7ff6209b5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\powrprof" }, { "name": "DllBase", "value": "0x7ffc75460000" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-05-28 22:03:05,348", "thread_id": "10208", "caller": "0x7ff6209b56cb", "parentcaller": "0x7ff6209b5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\framedynos" }, { "name": "DllBase", "value": "0x7ffc19950000" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-05-28 22:03:05,363", "thread_id": "10208", "caller": "0x7ff6209b56cb", "parentcaller": "0x7ff6209b5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\wbem\\cimwin32" }, { "name": "DllBase", "value": "0x7ffc19650000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-05-28 22:03:05,426", "thread_id": "10208", "caller": "0x7ff6209b56cb", "parentcaller": "0x7ff6209b5514", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffc75440000" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-05-28 22:03:05,473", "thread_id": "10208", "caller": "0x7ff6209b56cb", "parentcaller": "0x7ff6209b5514", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\cimwin32.dll" }, { "name": "BaseAddress", "value": "0x7ffc19650000" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-05-28 22:03:05,473", "thread_id": "10208", "caller": "0x7ff6209b56cb", "parentcaller": "0x7ff6209b5514", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "D63A5850-8F16-11CF-9F47-00AA00BF345C" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-05-28 22:03:05,473", "thread_id": "10208", "caller": "0x7ff6209b998d", "parentcaller": "0x7ff6209b899b", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-05-28 22:03:05,488", "thread_id": "10208", "caller": "0x7ff6209b7ab2", "parentcaller": "0x7ff6209b5b48", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-05-28 22:03:05,488", "thread_id": "10208", "caller": "0x7ffc600ca4f0", "parentcaller": "0x7ffc600ca195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 83 }, { "timestamp": "2026-05-28 22:03:05,504", "thread_id": "10208", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-05-28 22:03:05,504", "thread_id": "10028", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda91000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-05-28 22:03:05,504", "thread_id": "10028", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda93000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-05-28 22:03:05,504", "thread_id": "10028", "caller": "0x7ffc77fde715", "parentcaller": "0x7ffc77fde37b", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda94000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-05-28 22:03:05,504", "thread_id": "10028", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-05-28 22:03:05,504", "thread_id": "10028", "caller": "0x7ffc600caddd", "parentcaller": "0x7ffc77bf0030", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-05-28 22:03:05,535", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4590F812-1D3A-11D0-891F-00AA004B2E24" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-05-28 22:03:05,535", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2eda96000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-05-28 22:03:05,535", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\WMI" }, { "name": "DllBase", "value": "0x2c2ee1b0000" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-05-28 22:03:05,551", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "WMI.DLL" }, { "name": "BaseAddress", "value": "0x2c2ee1b0000" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-05-28 22:03:05,551", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000035c" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wmiclnt.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-05-28 22:03:05,551", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000358" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffc6f2c0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00011000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-05-28 22:03:05,551", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wmiclnt" }, { "name": "DllBase", "value": "0x7ffc6f2c0000" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-05-28 22:03:05,566", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000035c" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\WMIDataDevice" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "0" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "yes" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-05-28 22:03:05,566", "thread_id": "10028", "caller": "0x7ff6209b906c", "parentcaller": "0x7ff6209b8cc3", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2c2efb64000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 98 } ], "threads": [ "9648", "9264", "10112", "10080", "10208", "10028" ], "environ": { "UserName": "JOHNS-PC$", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6209b0000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } }, { "process_id": 8196, "process_name": "svchost.exe", "parent_id": 592, "module_path": "C:\\Windows\\System32\\svchost.exe", "first_seen": "2026-05-28 22:03:02,316", "calls": [ { "timestamp": "2026-05-28 22:03:04,848", "thread_id": "9728", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000007a8" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-05-28 22:03:04,863", "thread_id": "9728", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000338-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-05-28 22:03:04,863", "thread_id": "9728", "caller": "0x7ffc756e56b2", "parentcaller": "0x7ffc6aa4359f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\wbem\\wbemcore.dll" }, { "name": "BaseAddress", "value": "0x7ffc1a200000" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-05-28 22:03:04,863", "thread_id": "9728", "caller": "0x7ffc6aa435f7", "parentcaller": "0x7ffc77bab20e", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "4FA18276-912A-11D1-AD9B-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-05-28 22:03:04,910", "thread_id": "11168", "caller": "0x7ffc75716f4c", "parentcaller": "0x7ffc770cef53", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000007b0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-05-28 22:03:04,957", "thread_id": "8236", "caller": "0x7ffc1a133a1a", "parentcaller": "0x7ffc1a218f9b", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-05-28 22:03:04,957", "thread_id": "8236", "caller": "0x7ffc6b8e2c1e", "parentcaller": "0x7ffc1a219057", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "44ACA674-E8FC-11D0-A07C-00C04FB68820" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-05-28 22:03:04,957", "thread_id": "8236", "caller": "0x7ffc600ca4f0", "parentcaller": "0x7ffc600ca195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-05-28 22:03:05,051", "thread_id": "2592", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "00000339-0000-0000-C000-000000000046" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-05-28 22:03:05,066", "thread_id": "2592", "caller": "0x7ffc1a134e9b", "parentcaller": "0x7ffc1a136a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 9 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "2592", "caller": "0x7ffc1a216b2d", "parentcaller": "0x7ffc1a12cae0", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CD1ABFC8-6C5E-4A8D-B90B-2A3B153B886D" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "00000000-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 10 }, { "timestamp": "2026-05-28 22:03:05,082", "thread_id": "2592", "caller": "0x7ffc600ca4f0", "parentcaller": "0x7ffc600ca195", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "E7D35CFA-348B-485E-B524-252725D697CA" }, { "name": "ClsContext", "value": "0x80000001", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_PS_DLL" }, { "name": "riid", "value": "D5F569D0-593B-101A-B569-08002B2DBF7A" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 11 }, { "timestamp": "2026-05-28 22:03:05,129", "thread_id": "2592", "caller": "0x7ffc1a134e9b", "parentcaller": "0x7ffc1a136a2f", "category": "com", "api": "CoGetClassObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "1108BE51-F58A-4CDA-BB99-7A0227D11D5E" }, { "name": "ClsContext", "value": "0x00000005", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_LOCAL_SERVER" }, { "name": "riid", "value": "00000001-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 12 }, { "timestamp": "2026-05-28 22:03:05,144", "thread_id": "8236", "caller": "0x7ffc77be92b9", "parentcaller": "0x7ffc77c2224d", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "674B6698-EE92-11D0-AD71-00C04FD8FDFF" }, { "name": "ClsContext", "value": "0x00000403", "pretty_value": "CLSCTX_INPROC_SERVER|CLSCTX_INPROC_HANDLER|CLSCTX_NO_CODE_DOWNLOAD" }, { "name": "riid", "value": "00000003-0000-0000-C000-000000000046" }, { "name": "ProgID", "value": "" } ], "repeated": 1, "id": 13 }, { "timestamp": "2026-05-28 22:03:05,160", "thread_id": "9644", "caller": "0x7ffc708e2508", "parentcaller": "0x7ffc708e4a51", "category": "com", "api": "CoCreateInstance", "status": true, "return": "0x00000000", "arguments": [ { "name": "rclsid", "value": "CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA" }, { "name": "ClsContext", "value": "0x00000001", "pretty_value": "CLSCTX_INPROC_SERVER" }, { "name": "riid", "value": "3BC15AF2-736C-477E-9E51-238AF8667DCC" }, { "name": "ProgID", "value": "" } ], "repeated": 6, "id": 14 } ], "threads": [ "9728", "11168", "8236", "2592", "9644" ], "environ": { "UserName": "SYSTEM", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff780360000", "MainExeSize": "0x00010000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "explorer.exe", "pid": 4584, "parent_id": 4556, "module_path": "C:\\Windows\\explorer.exe", "children": [ { "name": "Taskmgr.exe", "pid": 7912, "parent_id": 4584, "module_path": "C:\\Windows\\System32\\Taskmgr.exe", "children": [], "threads": [ "1496", "4708", "3956", "3940", "4592", "4692", "2700", "5448", "7832", "520", "608", "612", "60", "1004", "1276", "3700", "8568", "8588", "8592", "8596", "8600", "8604", "9180", "2988" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\taskmgr.exe\" /4", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6c28b0000", "MainExeSize": "0x00130000", "Bitness": "64-bit" } }, { "name": "msedge.exe", "pid": 9188, "parent_id": 4584, "module_path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "children": [ { "name": "identity_helper.exe", "pid": 10720, "parent_id": 9188, "module_path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe", "children": [], "threads": [ "10724", "10844", "10840", "10836", "10832", "11000", "11004", "11008", "11012", "11020", "11024", "11028", "11032", "10808", "11120", "11124", "11128", "11132", "11136", "11140", "11156", "11168" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff66ca90000", "MainExeSize": "0x0028c000", "Bitness": "64-bit" } } ], "threads": [ "9192", "9212", "9276", "9336", "9332", "9364", "9400", "9412", "9480", "9288", "9316", "9504", "9476", "9472", "9724", "9528", "9496", "10236", "9268", "9588", "9280", "9408", "9820", "10632", "9292", "9312", "9264" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"https://sugarcraft.net/\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff734750000", "MainExeSize": "0x00505000", "Bitness": "64-bit" } } ], "threads": [ "4884", "5208", "4636", "2840", "2604", "4156", "4640", "6712", "4804", "4668", "6892", "5020", "4628", "3452", "1096", "4928", "4812", "4644", "4844", "4684", "4932", "4920", "10780", "4624", "5080", "388", "5224", "3088" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\Explorer.EXE", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff65e010000", "MainExeSize": "0x00546000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 740, "parent_id": 592, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [ { "name": "dllhost.exe", "pid": 9716, "parent_id": 740, "module_path": "C:\\Windows\\System32\\dllhost.exe", "children": [], "threads": [ "9720", "11128", "9948", "11028", "10576", "3116", "6264", "5468", "3340", "440", "3228" ], "environ": { "UserName": "admin", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\admin\\AppData\\Local\\Temp\\", "CommandLine": "C:\\Windows\\system32\\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff699df0000", "MainExeSize": "0x00009000", "Bitness": "64-bit" } }, { "name": "WmiPrvSE.exe", "pid": 9816, "parent_id": 740, "module_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "children": [], "threads": [ "9648", "9264", "10112", "10080", "10208", "10028" ], "environ": { "UserName": "JOHNS-PC$", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff6209b0000", "MainExeSize": "0x0007e000", "Bitness": "64-bit" } } ], "threads": [ "1352", "944", "836", "1440", "840", "1240" ], "environ": { "UserName": "SYSTEM", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff780360000", "MainExeSize": "0x00010000", "Bitness": "64-bit" } }, { "name": "svchost.exe", "pid": 8196, "parent_id": 592, "module_path": "C:\\Windows\\System32\\svchost.exe", "children": [], "threads": [ "9728", "11168", "8236", "2592", "9644" ], "environ": { "UserName": "SYSTEM", "ComputerName": "JOHNS-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Windows\\TEMP\\", "CommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "12bc-0026", "SystemVolumeGUID": "528c102f-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff780360000", "MainExeSize": "0x00010000", "Bitness": "64-bit" } } ], "summary": { "files": [ "\\Device\\Bam", "C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\d3d10warp.dll", "C:\\Windows\\System32\\en-US\\explorerframe.dll.mui", "C:\\Windows\\System32", "C:\\", "C:\\Windows\\", "C:\\Windows\\System32\\", "C:\\Windows\\System32\\Taskmgr.exe", "C:\\Windows\\System32\\Taskmgr.exe\\", "C:\\Windows", "C:", "\\??\\MountPointManager", "\\??\\Volume{528c102f-0000-0000-0000-300300000000}", "C:\\Windows\\System32\\en-US\\taskmgr.exe.mui", "C:\\Windows\\System32\\pcacli.dll", "C:\\Windows\\System32\\mpr.dll", "C:\\Windows\\WinSxS\\FileMaps\\$$_system32_21f9a9c4a2f8b514.cdf-ms", "C:\\Windows\\apppatch\\sysmain.sdb", "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", "C:\\Windows\\System32\\en-US\\Taskmgr.exe.mui", "C:\\Program Files (x86)\\Microsoft\\", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk", "C:\\Windows\\System32\\twinui.pcshell.dll", "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-LIGHT.svg", "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds\\GLEAM-DARK.svg", "C:\\Windows\\System32\\SecurityHealthSSO.dll", "C:\\Windows\\System32\\wscui.cpl", "C:\\Windows\\System32\\en-US\\wscui.cpl.mui", "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3", "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus.dll", "C:\\Windows\\System32\\en-US\\Actioncenter.dll.mui", "C:\\Windows\\System32\\Actioncenter.dll.3.Manifest", "\\??\\PhysicalDrive0", "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "C:\\Windows\\System32\\umpdc.dll", "C:\\Windows\\WindowsShell.Manifest", "\\Device\\CNG", "C:\\Windows\\System32\\taskmgr.exe.3.Manifest", "C:\\Windows\\Fonts\\staticcache.dat", "C:\\Windows\\System32\\TextShaping.dll", "C:\\Windows\\System32\\textinputframework.dll", "C:\\Windows\\System32\\CoreUIComponents.dll", "C:\\Windows\\System32\\CoreMessaging.dll", "C:\\Windows\\System32\\ntmarta.dll", "C:\\Windows\\System32\\WinTypes.dll", "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls", "C:\\Windows\\System32\\policymanager.dll", "C:\\Windows\\System32\\msvcp110_win.dll", "\\Device\\PcwDrv", "C:\\Windows\\System32\\wtsapi32.dll", "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo1.xml", "C:\\Windows\\System32\\windows.storage.dll", "C:\\Windows\\System32\\wldp.dll", "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo2.xml", "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo3.xml", "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo4.xml", "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml", "C:\\Windows\\System32\\winsta.dll", "C:\\Windows\\System32\\xmllite.dll", "C:\\Windows\\System32\\WindowsCodecs.dll", "C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe", "C:\\Program Files\\Google\\Chrome\\Application\\PlatformExperienceHelper\\platform_experience_helper.exe", "C:\\Program Files\\Google\\Chrome\\Application\\148.0.7778.217\\Installer\\chrmstp.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files", "C:\\Windows\\System32\\reg.exe", "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe", "C:\\Program Files (x86)\\Steam\\steamsysinfo.exe", "C:\\Windows\\System32\\SecurityHealthSystray.exe", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe", "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*.*", "C:\\Windows\\System32\\en-US\\SecurityHealthSystray.exe.mui", "C:\\Windows\\System32\\en\\SecurityHealthSystray.exe.mui", "C:\\Windows\\System32\\shell32.dll", "C:\\Windows\\System32\\oleacc.dll", "C:\\Users\\admin", "C:\\Users\\admin\\AppData\\Local", "C:\\Users\\admin\\AppData\\Local\\IconCache.db", "C:\\Windows\\System32\\en-US\\OLEACCRC.DLL.mui", "C:\\Windows\\System32\\UxTheme.dll.Config", "C:\\Windows\\System32\\uxtheme.dll", "C:\\Windows\\System32\\resmon.exe", "C:\\Windows\\System32\\samcli.dll", "C:\\Windows\\System32\\samlib.dll", "C:\\Windows\\System32\\en-US\\csrss.exe.mui", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer", "C:\\Windows\\System32\\en-US\\winlogon.exe.mui", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\IconCacheToDelete", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db", "C:\\Windows\\System32\\en-US\\svchost.exe.mui", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db", "C:\\Users\\desktop.ini", "C:\\Users", "C:\\Users\\admin\\AppData", "C:\\Users\\admin\\AppData\\Local\\Microsoft", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\desktop.ini", "C:\\Windows\\SysWOW64\\propsys.dll", "C:\\Windows\\System32\\propsys.dll", "C:\\Windows\\System32\\en-US\\propsys.dll.mui", "C:\\Windows\\System32\\svchost.exe", "C:\\Users\\admin\\AppData\\Local\\microsoft\\windowsapps\\python.exe", "C:\\Windows\\System32\\imageres.dll", "C:\\Windows\\System32\\en-US\\imageres.dll.mui", "C:\\Windows\\System32\\SystemResources\\imageres.dll.mui.mun", "C:\\Windows\\SystemResources\\imageres.dll.mun", "C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\\python.exe", "C:\\Windows\\System32\\conhost.exe", "C:\\??\\c:\\windows\\system32\\conhost.exe", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", "C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe", "C:\\Users\\admin\\AppData\\Local\\SystemResources\\update.exe.mun", "C:\\Windows\\System32\\en-US\\reg.exe.mui", "C:\\Windows\\SystemResources\\reg.exe.mun", "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\discord_voice\\gpu_encoder_helper.exe", "C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\modules\\discord_voice-1\\SystemResources\\gpu_encoder_helper.exe.mun", "C:\\Program Files (x86)\\Steam\\steam.exe", "C:\\Windows\\System32\\bin\\vulkandriverquery64.exe", "C:\\Windows\\System32\\en-US\\spoolsv.exe.mui", "C:\\Windows\\System32\\bin\\vulkandriverquery.exe", "C:\\Windows\\System32\\bin\\gldriverquery64.exe", "C:\\Windows\\System32\\bin\\gldriverquery.exe", "C:\\Program Files (x86)", "C:\\Program Files (x86)\\desktop.ini", "C:\\Program Files (x86)\\Steam", "C:\\program files (x86)\\Steam\\steamsysinfo.exe", "C:\\program files (x86)\\SystemResources\\steamsysinfo.exe.mun", "C:\\Windows\\System32\\en-US\\SearchIndexer.exe.mui", "C:\\Windows\\System32\\en-US\\taskhostw.exe.mui", "C:\\Windows\\System32\\apphelp.dll", "C:\\Windows\\System32\\windows.staterepositorycore.dll", "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\resources.pri", "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources*.pri", "C:\\Windows\\System32\\languageoverlayutil.dll", "C:\\Windows\\rescache\\_merged\\24768367\\3374421605.pri", "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\pris\\resources.en-US.pri", "C:\\Windows\\System32\\BCP47mrm.dll", "C:\\Windows\\System32\\iertutil.dll", "C:\\Windows\\system32", "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\en-US\\TiWorker.exe.mui", "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\en\\TiWorker.exe.mui", "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe", "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\resources.pri", "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources*.pri", "C:\\Windows\\rescache\\_merged\\4225414570\\2601266601.pri", "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\pris\\resources.en-US.pri", "C:\\Windows\\System32\\en-US\\notepad.exe.mui", "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\resources.pri", "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png", "C:\\Windows\\System32\\ntoskrnl.exe", "C:\\Windows\\SystemResources\\ntoskrnl.exe.mun", "C:\\Windows\\System32\\csrss.exe", "C:\\Windows\\SystemResources\\csrss.exe.mun", "C:\\Windows\\System32\\fontdrvhost.exe", "C:\\Windows\\SystemResources\\fontdrvhost.exe.mun", "C:\\Windows\\System32\\sihost.exe", "C:\\Windows\\SystemResources\\sihost.exe.mun", "C:\\Windows\\System32\\taskhostw.exe", "C:\\Windows\\SystemResources\\taskhostw.exe.mun", "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\smalllogo.scale-100.png", "C:\\Windows\\WinSxS\\SystemResources\\tiworker.exe.mun", "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png", "C:\\Windows\\System32\\runtimebroker.exe", "C:\\Windows\\SystemResources\\runtimebroker.exe.mun", "C:\\Windows\\System32\\applicationframehost.exe", "C:\\Windows\\SystemResources\\applicationframehost.exe.mun", "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png", "C:\\Windows\\System32\\net1.exe", "C:\\Windows\\SystemResources\\net1.exe.mun", "C:\\Windows\\System32\\RuntimeBroker.exe", "C:\\Windows\\System32\\IPHLPAPI.DLL", "\\Device\\DeviceApi\\Dev\\Query", "\\??\\SCSI#Disk&Ven_SAMSUNG&Prod_MZ76E120#4&35424867&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}", "\\??\\Volume{528c102f-0000-0000-0000-100000000000}", "\\??\\Volume{528c102f-0000-0000-0000-c0dd0e000000}", "\\??\\Volume{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}", "C:\\Windows\\System32\\winnsi.dll", "\\??\\Nsi", "\\Device\\DeviceApi\\CMNotify", "C:\\Windows\\System32\\dxilconv.dll", "C:\\Windows\\System32\\D3DSCache.dll", "C:\\Users\\admin\\AppData\\Local\\D3DSCache", "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\", "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock", "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx", "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val", "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}", "C:\\Windows\\System32\\wkscli.dll", "\\??\\PIPE\\wkssvc", "C:\\Windows\\System32\\smss.exe", "C:\\Windows\\SystemResources\\smss.exe.mun", "C:\\Windows\\System32\\en-US\\smss.exe.mui", "C:\\Windows\\System32\\wininit.exe", "C:\\Windows\\SystemResources\\wininit.exe.mun", "C:\\Windows\\System32\\en-US\\wininit.exe.mui", "C:\\Windows\\System32\\services.exe", "C:\\Windows\\SystemResources\\services.exe.mun", "C:\\Windows\\System32\\en-US\\services.exe.mui", "C:\\Windows\\System32\\lsass.exe", "C:\\Windows\\SystemResources\\lsass.exe.mun", "C:\\Windows\\System32\\dwm.exe", "C:\\Windows\\SystemResources\\dwm.exe.mun", "C:\\Windows\\System32\\en-US\\dwm.exe.mui", "C:\\Windows\\System32\\en-US\\ctfmon.exe.mui", "C:\\Windows\\en-US\\explorer.exe.mui", "C:\\Windows\\System32\\dllhost.exe", "C:\\Windows\\SystemResources\\dllhost.exe.mun", "C:\\Windows\\servicing\\trustedinstaller.exe", "C:\\Windows\\SystemResources\\trustedinstaller.exe.mun", "C:\\Windows\\servicing\\en-US\\TrustedInstaller.exe.mui", "C:\\Windows\\System32\\mousocoreworker.exe", "C:\\Windows\\SystemResources\\mousocoreworker.exe.mun", "C:\\Windows\\System32\\en-US\\MoUsoCoreWorker.exe.mui", "C:\\Windows\\System32\\en\\MoUsoCoreWorker.exe.mui", "C:\\Windows\\System32\\MoUsoCoreWorker.exe", "C:\\Windows\\System32\\smartscreen.exe", "C:\\Windows\\SystemResources\\smartscreen.exe.mun", "C:\\Windows\\System32\\en-US\\smartscreen.exe.mui", "C:\\Windows\\System32\\securityhealthservice.exe", "C:\\Windows\\SystemResources\\securityhealthservice.exe.mun", "C:\\Windows\\System32\\en-US\\conhost.exe.mui", "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\microsoft.system.package.metadata\\S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri", "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\resources.pri", "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\resources.pri", "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png", "C:\\Windows\\System32\\net.exe", "C:\\Windows\\SystemResources\\net.exe.mun", "C:\\Windows\\System32\\chartv.dll", "C:\\_a4sjgfa\\bin\\pplinject64.exe", "C:\\_a4sjgfa", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\program files (x86)\\microsoft\\Edge\\application\\148.0.3967.83\\identity_helper.exe", "C:\\program files (x86)\\microsoft\\Edge\\application\\SystemResources\\identity_helper.exe.mun", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\resources.pri", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SmallLogo.png", "C:\\program files (x86)\\microsoft\\edgeupdate\\microsoftedgeupdate.exe", "C:\\program files (x86)\\microsoft\\SystemResources\\microsoftedgeupdate.exe.mun", "C:\\Windows\\System32\\ggsgulid.exe", "C:\\Windows\\System\\ggsgulid.exe", "C:\\Windows\\ggsgulid.exe", "C:\\Windows\\System32\\wbem\\ggsgulid.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\ggsgulid.exe", "C:\\Windows\\System32\\OpenSSH\\ggsgulid.exe", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\ggsgulid.exe", "C:\\Users\\admin\\Desktop", "C:\\Users\\admin\\Desktop\\GGsGuLID.exe", "C:\\Users\\Public\\Desktop", "C:\\Users\\Public\\Desktop\\GGsGuLID.exe", "C:\\_a4sjgfa\\bin\\GGsGuLID.exe", "C:\\Windows\\System32\\usp10.dll", "\\??\\pipe\\crashpad_9188_ZJBFJUVMSIRHHEHU", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\148.0.3967.83\\msedge.dll", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge.dll", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\icudtl.dat", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\v8_context_snapshot.bin", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_100_percent.pak", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_200_percent.pak", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\Locales", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\Locales\\en-US.pak", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\resources.pak", "C:\\Windows\\System32\\kernel.appcore.dll", "C:\\Windows\\System32\\usermgrcli.dll", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msvcp110_win.dll", "C:\\Windows\\System32\\capauthz.dll", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\MSASN1.dll", "C:\\Windows\\System32\\msasn1.dll", "C:\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\S-1-5-21-3968686040-3210279463-847977608-1001.pckgdep", "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\Wldp.dll", "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe", "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\", "C:\\Users\\admin\\AppData\\Local\\Packages", "C:\\Users\\admin\\AppData\\Local\\Packages\\", "C:\\Users\\admin\\AppData\\Local\\", "C:\\Users\\admin\\AppData\\", "C:\\Users\\admin\\", "C:\\Users\\", "\\Device\\DeviceApi\\CMApi", "C:\\Users\\admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\LocalState\\ToastCollectionIcons\\*", "C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui", "C:\\Windows\\SystemResources\\USER32.dll.mun", "C:\\Windows\\System32\\en-US\\USER32.dll.mui", "C:\\Windows\\System32\\rpcss.dll", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "C:\\Windows\\System32\\wmiclnt.dll", "\\??\\WMIDataDevice" ], "read_files": [], "write_files": [ "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db", "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db", "C:\\Users\\admin\\AppData\\Local\\D3DSCache", "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock", "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx", "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val", "\\Device\\{4C572733-2FBA-4346-9601-F86DBA666EF2}", "\\??\\PIPE\\wkssvc", "\\??\\pipe\\crashpad_9188_ZJBFJUVMSIRHHEHU", "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM", "\\??\\WMIDataDevice" ], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI\\DynamicScaling", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectUI", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-AU", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-AU", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\UseStatusSetting", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe UI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\taskmgr.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\Sorting\\Ids", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\AppCompatClassName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Input", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\QfePolicyDefinitions\\{A48F1A32-A340-11D1-BC6B-00A0C90312E1}\\{572FD217-F7FF-479C-8D96-BC938D6867F5}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegValueNameRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Value", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\HideFastUserSwitching", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsRuntime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\Diagnosis", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\AdminCapabilities", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkUXManager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-AU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444B-8957-A3773F02200E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26460E96-1D01-43E4-9FB8-B7ED958F362B}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26460E96-1D01-43E4-9FB8-B7ED958F362B}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AccountPicture\\Users", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905E63B6-C1BF-494E-B29C-65B732D3D21A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KnownFolderSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Mask", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\11", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\11\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\StartupFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\StartupFolder", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\3\\Mask", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Position", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\5\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Mask", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Position", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Mask", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Max Cached Icons", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "HKEY_CLASSES_ROOT\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Segoe MDL2 Assets", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Icons", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\UseDefaultTile", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AccountPicture\\Users\\S-1-5-21-3968686040-3210279463-847977608-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Scaling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\GlobalAssocChangedCounter", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ThumbnailCache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\CAPEAgent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\taskmgr.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar", "HKEY_CLASSES_ROOT\\Directory", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\IconHandler", "HKEY_CLASSES_ROOT\\Folder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler", "HKEY_CLASSES_ROOT\\AllFilesystemObjects", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\AlwaysShowExt", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe", "HKEY_CLASSES_ROOT\\.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)", "HKEY_CLASSES_ROOT\\exefile", "HKEY_CURRENT_USER\\Software\\Classes\\exefile\\CurVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\IconHandler", "HKEY_CLASSES_ROOT\\SystemFileAssociations\\.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Clsid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SafeProcessSearchMode", "HKEY_CURRENT_USER\\Software\\Classes\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegate", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\OneDrive", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Discord", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Steam", "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\automatedAppLaunch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{B94B62A2-4012-4B7E-A395-F21CC665FD12}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{0450CE77-AF0D-40AC-93FD-1E5D48C89419}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\", "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile", "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "HKEY_CURRENT_USER\\Control Panel\\International\\Geo", "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1E87508D-89C2-42F0-8A7E-645A0F50CA58}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PropertyBag", "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\SortOrderIndex", "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\FolderValueFlags", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\ShellFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{4234D49B-0245-4DF3-B780-3893943456E1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{4234D49B-0245-4DF3-B780-3893943456E1}", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{4234D49B-0245-4DF3-B780-3893943456E1}", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\{4234D49B-0245-4DF3-B780-3893943456E1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreXPSP2ShellProtocolBehavior", "HKEY_CLASSES_ROOT\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\Instance", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{4234D49B-0245-4DF3-B780-3893943456E1}\\InProcServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\LoadWithoutCOM", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{84103CCB-2FD7-4D6C-962E-5D8582B4C720}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{5232F8EA-49C7-4840-BFBB-66E785689E88}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6D3BC882-23A4-4706-B8FA-FC7DE2FC325D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{E3DD5D31-892E-4AD6-9CE9-8FE1F185047B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e3dd5d31-892e-4ad6-9ce9-8fe1f185047b}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e3dd5d31-892e-4ad6-9ce9-8fe1f185047b}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{6A905A4B-CD66-5C7C-AB57-F5EB16C97257}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6a905a4b-cd66-5c7c-ab57-f5eb16c97257}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6a905a4b-cd66-5c7c-ab57-f5eb16c97257}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{2BE22368-4C98-5E9F-AC2B-DE493C0C3E43}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2be22368-4c98-5e9f-ac2b-de493c0c3e43}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2be22368-4c98-5e9f-ac2b-de493c0c3e43}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{F502008F-7A0E-5757-8E65-EBAD2E5A0E21}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{f502008f-7a0e-5757-8e65-ebad2e5a0e21}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{f502008f-7a0e-5757-8e65-ebad2e5a0e21}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{19AD9E30-89F3-48F6-9C50-E34A59494544}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{19ad9e30-89f3-48f6-9c50-e34a59494544}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{19ad9e30-89f3-48f6-9c50-e34a59494544}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8A43ED9F-F4E6-4421-ACF9-1DAB2986820C}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8a43ed9f-f4e6-4421-acf9-1dab2986820c}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8a43ed9f-f4e6-4421-acf9-1dab2986820c}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{3BED20A5-6DEE-4297-B976-3B30DF69A7AA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{195F5943-0C04-4EAB-B907-735817FDAC77}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Metadata", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\User\\Index\\UserSid\\S-1-5-21-3968686040-3210279463-847977608-1001", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1f", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1f", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{1B0D3570-0877-5EC2-8A2C-3B9539506ACA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1b0d3570-0877-5ec2-8a2c-3b9539506aca}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1b0d3570-0877-5ec2-8a2c-3b9539506aca}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\ResourcesConfig", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt\\_Merged", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D81E96F1-A89C-417E-9335-59531026309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8DA928C9-4266-55D4-947A-48BE47300831}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^1a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^1a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.Windows.Search_cw5n1h2txyewy\\ResourcesConfig", "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent\\AccentPalette", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^22", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^22", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\Flags", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\ResourcesConfig", "HKEY_CLASSES_ROOT\\CLSID\\{56AD4C5D-B908-4F85-8FF1-7940C29B3BCF}\\Instance", "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DevQuery", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\UUID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\UUID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\UUID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DllName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DevQueryEntry", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DllName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DevQueryEntry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Help", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{d9ff82a4-a6a2-4fa5-899e-086ead3bab21}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{d9ff82a4-a6a2-4fa5-899e-086ead3bab21}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{e0e99beb-f7d6-4402-ab36-e510d7048f22}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57ec1e30-406c-48ee-8e96-5da71298991f}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57ec1e30-406c-48ee-8e96-5da71298991f}\\{6f1a94cb-68ed-4a84-9668-64e671e1ffef}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{227419d5-f6d8-4fb7-85d6-2cac1725e4a9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{978c167d-4764-4d9c-9824-14747351dc81}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{be2139c7-ab81-424d-b107-d87f7c9322ac}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{f802502b-77b4-4713-81b3-3be05759da5d}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5c3b2414-fd1d-44fb-8b00-e3194209dd1a}\\{f9ed01f5-8f3e-4956-973f-9f05bc96f489}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5db760bc-64b2-4da7-b4ef-7dab105fbb8c}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5db760bc-64b2-4da7-b4ef-7dab105fbb8c}\\{faa17411-9025-4b86-8b5e-ce2f32b06e13}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}\\{ac5e8416-9f39-4166-951f-88ee9635b1d8}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}\\{b790d108-d503-47ec-9d7b-b39737b39dba}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{5e6554b3-ccf8-4769-b82b-798f4cce5483}\\{e4a2b264-7187-41ca-aa73-7dc698d49ed1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{08fb768b-1e55-4040-b153-e0ddbedd8042}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{21a64f86-6cbe-47e1-a497-261226ca12f7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{60aa43c9-c1b7-41bf-9b4c-b7f6cc1d93b9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{65faa5f0-141d-4f38-acf0-c79bb0c7be2d}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{62706b23-4f66-4c53-b6cc-c6600ccc2752}\\{c0df9671-a0ea-4576-9f81-853127cf8d28}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{71cb4f3b-e29c-4619-a5d5-5fd6a68120ad}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{71cb4f3b-e29c-4619-a5d5-5fd6a68120ad}\\{3c8cb362-147c-4105-b98b-11fd7e671dd7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{71cb4f3b-e29c-4619-a5d5-5fd6a68120ad}\\{7b08ee8b-88d7-4cad-a06f-70d1c4b65ee7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{74800676-866f-4bbd-8680-dac6a6fb6c8e}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{74800676-866f-4bbd-8680-dac6a6fb6c8e}\\{06ebf20d-17fb-4338-a08d-7a99f17ca678}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{74800676-866f-4bbd-8680-dac6a6fb6c8e}\\{ad8644c4-ae02-4b22-990d-52b491f91c26}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\\{16dcff2c-91a3-4e6a-8135-0a9e6681c1b5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\\{8ebb0470-da6d-485b-8441-8e06b049157a}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{890c10c3-8c2a-4fe3-a36a-9eca153d47cb}\\{e829b6db-21ab-453b-83c9-d980ec708edd}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{898a4828-e6e6-4ddd-abb2-5751e3949aa4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{898a4828-e6e6-4ddd-abb2-5751e3949aa4}\\{115b92b4-7191-491a-a9b5-93c8e9fb641b}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{9eeedeb1-de39-4fba-9cd5-6521b9f19984}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{9eeedeb1-de39-4fba-9cd5-6521b9f19984}\\{2b048375-f829-4b1d-b117-681e9ead1d50}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{9eeedeb1-de39-4fba-9cd5-6521b9f19984}\\{c71cfb00-0ecc-43a3-bf5a-a90ca7718033}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a18453e4-433b-4d33-ac66-2551e3bba9be}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a18453e4-433b-4d33-ac66-2551e3bba9be}\\{66f19dff-a4dd-4802-8fbb-29e6a54af9da}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{042478fc-1449-4b04-a0d8-ba5660ab739a}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{3ab34489-ec07-4d11-a4bb-677b87cd58d9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{3f0903d7-5b0b-493e-abf2-a36fd7ce2601}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{6800b902-8b06-11df-9561-f043dfd72085}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{7495d5d9-ea6a-444d-afab-e3cae27c047b}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{a3886623-dd46-48fc-a1f9-e3da35125995}\\{cd376bd3-9f6b-48c0-840e-1816b7a50fdc}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b1c6de93-e020-4ad9-9ca5-4dd5553004cf}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b1c6de93-e020-4ad9-9ca5-4dd5553004cf}\\{1045bf74-023b-445a-9e2b-2038ff4789a6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b1c6de93-e020-4ad9-9ca5-4dd5553004cf}\\{86b34670-d4bb-40c9-8301-33fb16675d61}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b9fcf33d-ba8f-4654-a5f2-bf58a5866ca8}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{b9fcf33d-ba8f-4654-a5f2-bf58a5866ca8}\\{bd4b1f37-d1f0-4fc5-996d-d4a21290f212}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ba888490-8281-4ac7-b0de-8cc46b314d43}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ba888490-8281-4ac7-b0de-8cc46b314d43}\\{06f6022a-82f9-48a5-bc16-074c1bed416c}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb44ecb6-d88a-4b33-a39c-d6a9c03142a9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb44ecb6-d88a-4b33-a39c-d6a9c03142a9}\\{4e590c2e-2ad3-4138-8f61-4b08771dbbc8}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7308}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7308}\\{19b5bae2-18c5-4ab8-99de-255f0e96760a}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{135f3513-bc27-4360-b281-0a36caceb1f2}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{19b5bae2-18c5-4ab8-99de-255f0e9676a0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{8bc1703a-939f-4ee1-8785-b0fc5837feb2}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cb6d8ddc-a302-4349-88fd-9fcf6d3a7380}\\{cc16fe4c-d638-492e-a924-519185396ebf}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc549940-0edf-41b1-8298-74c2627b6af9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc549940-0edf-41b1-8298-74c2627b6af9}\\{35a002b8-38a7-41eb-bedd-6610bb93f046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc629d13-f318-4c40-b1ed-d70bce524515}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{cc629d13-f318-4c40-b1ed-d70bce524515}\\{22ca1519-4394-4a5f-be88-84a5c853a4aa}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{db314ee3-3157-4e56-8fd9-2184874d195d}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{db314ee3-3157-4e56-8fd9-2184874d195d}\\{fb01b3ef-bb4a-4c48-9ab8-dc1871675e6d}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ddf417dc-4cc3-4529-9ffc-1d04eb678da3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ddf417dc-4cc3-4529-9ffc-1d04eb678da3}\\{d53266b4-c9f5-4808-8a0f-d17bbf493416}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{e08d5971-88fb-4799-b066-6978845f73c1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{e08d5971-88fb-4799-b066-6978845f73c1}\\{b851890b-3e61-427a-ab94-461e088d4827}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{11ace151-4bac-44b0-8a82-0a859a5355d9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{1cc9da8b-58a5-4c92-9a4e-f05f2a2ae7a3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{28d00a68-8309-4a3e-bf1d-0ebd27c75787}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{40990512-fb18-4bbd-95e2-f72e8cdae178}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{40e6824e-1b9b-4329-9a6e-e94c8fb03a3f}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{58276884-7f29-450d-bcfa-5be4b7266334}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{63c158d0-2a4c-4509-8d27-29e935b69e5f}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{6b81611f-8998-47c2-9550-f7dc0324e620}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{7a030929-9547-485c-ba6c-3e891612c2ce}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{83a3746d-a9ec-47c0-830f-6dd440b07666}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{9815b8f4-d337-4eb4-a468-fc9a83bcce65}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{a30f983f-321a-48b0-85c3-cab02781dd02}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{aaca5b25-a859-438d-93b6-924f63a2cb3c}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{ef63b92d-c5a6-4314-ac9f-cc6b1c56fb9c}\\{e6e73867-856a-4574-a0ba-01c066d376f5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f25a20a5-fd7a-417b-afc3-76295ebac77c}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f25a20a5-fd7a-417b-afc3-76295ebac77c}\\{51bda498-67cb-479f-b898-57d2d73788f0}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f25a20a5-fd7a-417b-afc3-76295ebac77c}\\{811bbce5-7327-4ad9-ab62-a8b955f61eef}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{9ff69334-839c-41fe-96e0-c5189ac431f2}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{a8180dab-81d0-4e05-b76b-eb4c5fb37357}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{c0c9c676-ac38-40d4-a23c-69f05d12a306}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3991d9d-fc17-4f37-b12f-8984a43e1aeb}\\{d7e69761-f919-4bfa-bbb6-bece1050a2ce}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}\\{fc9e399c-c70a-4458-8430-ca249c371eb3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f6c5ad57-a5be-4259-9060-b2c4ebfccd96}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{f6c5ad57-a5be-4259-9060-b2c4ebfccd96}\\{1f7207c2-0b8c-48de-9dcd-64ff98cc24e1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{fd0dce36-af57-417b-9ce6-2d10633b4cf9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{fd0dce36-af57-417b-9ce6-2d10633b4cf9}\\{7d937e49-cfd5-438f-af4f-b3047d90a5c3}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{fd0dce36-af57-417b-9ce6-2d10633b4cf9}\\{f3e82f6e-9df4-425d-a5d5-3a9832005b16}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Version", "HKEY_PERFORMANCE_DATA\\Counter 0409", "HKEY_PERFORMANCE_DATA\\Counter 009", "HKEY_PERFORMANCE_DATA\\Explain 0409", "HKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Direct3D", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\TransientObjects\\%5C%5C.%5CRpc%5CAllowLpacAppExperience%5CInterface", "HKEY_CURRENT_USER\\Software\\Microsoft\\DirectX\\UserGpuPreferences", "HKEY_CURRENT_USER\\Software\\Microsoft\\Direct3D\\Direct3D12", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Direct3D\\Direct3D12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^90", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^90", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFullName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Volume", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\OSMaxVersionTested", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\TargetDeviceFamilyName", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\OEM", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.WindowsStore_8wekyb3d8bbwe\\ResourcesConfig", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Mrt", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\Language", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Flags", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\Flags", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\ManifestLanguagesList", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\OverrideLanguagesList", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\AssemblyStorageRoots", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\ExistingPageFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\PagingFiles", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\SecurityHealth", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Index\\PackageFullName\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\3^b1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Index\\UserAndPackage\\0^b1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateChange\\PackageList\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFullName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Volume", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\OSMaxVersionTested", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\TargetDeviceFamilyName", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\ResourcesConfig", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge.stable_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Value", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\DataProtection", "HKEY_CLASSES_ROOT\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance", "HKEY_CLASSES_ROOT\\CLSID\\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\\Instance", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Desktop", "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\channel", "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\ap", "HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort\\name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion", "HKEY_CURRENT_USER\\Software\\Classes", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\COM3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\AppCompat", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\identity_helper.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Extensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{E1CDD77A-65D3-4DB0-B339-21F6A48CC2FF}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E1CDD77A-65D3-4db0-B339-21F6A48CC2FF}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E1CDD77A-65D3-4db0-B339-21F6A48CC2FF}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{50AC103F-D235-4598-BBEF-98FE4D1A3AD4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{50ac103f-d235-4598-bbef-98fe4d1a3ad4}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{50ac103f-d235-4598-bbef-98fe4d1a3ad4}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6DB7CD52-E3B7-4ECC-BB1F-388AEEF6BB50}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{7AB93C52-0E48-4750-BA9D-1A4113981847}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7ab93c52-0e48-4750-ba9d-1a4113981847}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7ab93c52-0e48-4750-ba9d-1a4113981847}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{5CADDC63-01D3-4C97-986F-0533483FEE14}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5caddc63-01d3-4c97-986f-0533483fee14}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5caddc63-01d3-4c97-986f-0533483fee14}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{3BC3D253-2F31-4092-9129-8AD5ABF067DA}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bc3d253-2f31-4092-9129-8ad5abf067da}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bc3d253-2f31-4092-9129-8ad5abf067da}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0C9281F9-6DA1-4006-8729-DE6E6B61581C}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocServer32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers\\WaitForRestore", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaximumAllowedAllocationSize", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{A819F3DE-60AA-5159-8407-F0A7FB1F6832}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{a819f3de-60aa-5159-8407-f0a7fb1f6832}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{a819f3de-60aa-5159-8407-f0a7fb1f6832}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{79AB57F6-43FE-487B-8A7F-99567200AE94}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{79ab57f6-43fe-487b-8a7f-99567200ae94}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{79ab57f6-43fe-487b-8a7f-99567200ae94}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{B03C2205-F02E-4D77-80DF-E1747AFDD39C}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\Elevation", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Value", "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\current\\Device\\Privacy", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Value", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Value", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired\\VolatileChildTest", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapDBRedirect", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags", "HKEY_LOCAL_MACHINE", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Appx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\XAML", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault", "HKEY_USERS", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\PSR", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\PSR\\WnfStateName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\identity_helper.exe", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\LibraryDescriptionHandler", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\LibraryDescriptionHandler", "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\ShellEx\\LibraryDescriptionHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\LibraryDescriptionHandler", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\LibraryDescriptionHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\LibraryDescriptionHandler", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Start Menu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Start Menu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Recent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PropertyBag", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Personal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PropertyBag", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\ShellEx\\PropertyHandler", "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\PropertyHandler", "HKEY_CURRENT_USER\\Software\\Classes\\Folder\\ShellEx\\PropertyHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\PropertyHandler", "HKEY_CURRENT_USER\\Software\\Classes\\AllFilesystemObjects\\ShellEx\\PropertyHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\PropertyHandler", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions", "HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\Expiration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\CustomAttributes", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{252E7F79-ACFA-4EA2-9A7E-FA27A8A4D3D9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{252E7F79-ACFA-4EA2-9A7E-FA27A8A4D3D9}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{252E7F79-ACFA-4EA2-9A7E-FA27A8A4D3D9}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{100EB64B-B24C-4C38-8964-720D926D05A4}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{100EB64B-B24C-4C38-8964-720D926D05A4}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{100EB64B-B24C-4C38-8964-720D926D05A4}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{DF9A26C6-E746-4BCD-B5D4-120103C4209B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF9A26C6-E746-4BCD-B5D4-120103C4209B}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF9A26C6-E746-4BCD-B5D4-120103C4209B}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{B3F72108-5C5C-469B-A5E5-3F64D2A39B01}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b3f72108-5c5c-469b-a5e5-3f64d2a39b01}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b3f72108-5c5c-469b-a5e5-3f64d2a39b01}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{7F290DA0-75E3-5885-898D-1F5B1ED47ED2}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7f290da0-75e3-5885-898d-1f5b1ed47ed2}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7f290da0-75e3-5885-898d-1f5b1ed47ed2}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{9ED07B24-36FD-543B-948E-B01FE5814B49}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9ed07b24-36fd-543b-948e-b01fe5814b49}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9ed07b24-36fd-543b-948e-b01fe5814b49}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{EFE869FC-5841-55F1-AA56-82C7219AAA09}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{efe869fc-5841-55f1-aa56-82c7219aaa09}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{efe869fc-5841-55f1-aa56-82c7219aaa09}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\Elevation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{E44EA1DF-BB85-5A8C-BDDC-C8E960C355C9}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e44ea1df-bb85-5a8c-bddc-c8e960c355c9}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e44ea1df-bb85-5a8c-bddc-c8e960c355c9}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8CBD762A-1222-5EE5-B745-489E7A42C6EC}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8cbd762a-1222-5ee5-b745-489e7a42c6ec}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8cbd762a-1222-5ee5-b745-489e7a42c6ec}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces\\DefaultStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\CustomAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\Software\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalService", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RunAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateAtStorage", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ROTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppIDFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\MGOTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProcessMitigationPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RemoteServerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\SRPTrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\PreferredServerBitness", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LoadUserSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProtectionLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AccessPermission", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\Elevation", "HKEY_CURRENT_USER\\Software\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}\\ProxyStubClsid32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\TreatAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\ThreadingModel", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler32", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InprocHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\LocalServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\AppID", "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\LocalServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\Elevation" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-AU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-AU", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\UseStatusSetting", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegValueNameRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\HideFastUserSwitching", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\Active", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\MediaType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-AU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26460E96-1D01-43E4-9FB8-B7ED958F362B}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\11\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\3\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Position", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\5\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\EndOfStream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Position", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Pattern", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Mask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Max Cached Icons", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\UseDefaultTile", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\GlobalAssocChangedCounter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\CAPEAgent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Generation", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Data", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Generation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\AlwaysShowExt", "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SafeProcessSearchMode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegate", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\OneDrive", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Discord", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Steam", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\automatedAppLaunch", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\SortOrderIndex", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\CallForAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\RestrictedAttributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\FolderValueFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{4234D49B-0245-4DF3-B780-3893943456E1}", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreXPSP2ShellProtocolBehavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\LoadWithoutCOM", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e3dd5d31-892e-4ad6-9ce9-8fe1f185047b}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6a905a4b-cd66-5c7c-ab57-f5eb16c97257}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2be22368-4c98-5e9f-ac2b-de493c0c3e43}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{f502008f-7a0e-5757-8e65-ebad2e5a0e21}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{19ad9e30-89f3-48f6-9c50-e34a59494544}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8a43ed9f-f4e6-4421-acf9-1dab2986820c}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1b0d3570-0877-5ec2-8a2c-3b9539506aca}\\ProxyStubClsid32\\(Default)", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateOnHostFlags", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent\\AccentPalette", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\UUID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\UUID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\UUID", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\QueryFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\NoStateFile", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DllName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DevQueryEntry", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\IdType", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\Transport", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DllName", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DevQueryEntry", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Help", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NameResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\ExplainResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\First Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\Last Counter", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NeutralName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterBlock", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterCount", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ApplicationIdentity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{d9ff82a4-a6a2-4fa5-899e-086ead3bab21}\\InstanceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Version", "HKEY_PERFORMANCE_DATA\\Counter 0409", "HKEY_PERFORMANCE_DATA\\Counter 009", "HKEY_PERFORMANCE_DATA\\Explain 0409", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFullName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Volume", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\OSMaxVersionTested", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\TargetDeviceFamilyName", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\Language", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Flags", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\Flags", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\ManifestLanguagesList", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\OverrideLanguagesList", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\ExistingPageFiles", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\PagingFiles", "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\SecurityHealth", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageStatus", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageOrigin", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFullName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFamily", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags2", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Volume", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\OSMaxVersionTested", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\InstalledLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLink", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLocation", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\TargetDeviceFamilyName", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge.stable_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Desktop", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\channel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\ap", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort\\name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E1CDD77A-65D3-4db0-B339-21F6A48CC2FF}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{50ac103f-d235-4598-bbef-98fe4d1a3ad4}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7ab93c52-0e48-4750-ba9d-1a4113981847}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5caddc63-01d3-4c97-986f-0533483fee14}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bc3d253-2f31-4092-9129-8ad5abf067da}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers\\WaitForRestore", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaximumAllowedAllocationSize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{a819f3de-60aa-5159-8407-f0a7fb1f6832}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{79ab57f6-43fe-487b-8a7f-99567200ae94}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\PolicyType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Behavior", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\MergeAlgorithm", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirectMapped", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirect", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyismultisz", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicymultiszSeparatorChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataDevice", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataBoth", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\30Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Value", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault", "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\PSR\\WnfStateName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Start Menu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Start Menu", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Recent", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InitFolderHandler", "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Personal", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Category", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Name", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParentFolder", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Description", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\RelativePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParsingName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InfoTip", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalizedName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Icon", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Security", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResource", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResourceType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalRedirectOnly", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Roamable", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PreCreate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Stream", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PublishExpandedPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\DefinitionFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Attributes", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\FolderTypeID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InitFolderHandler", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\Expiration", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ExePath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\CommandLine", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\IdentityType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ActivatableClasses", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ServerType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\AppId", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\Identity", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ServiceName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ExplicitPsmActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{252E7F79-ACFA-4EA2-9A7E-FA27A8A4D3D9}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{100EB64B-B24C-4C38-8964-720D926D05A4}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF9A26C6-E746-4BCD-B5D4-120103C4209B}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b3f72108-5c5c-469b-a5e5-3f64d2a39b01}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7f290da0-75e3-5885-898d-1f5b1ed47ed2}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9ed07b24-36fd-543b-948e-b01fe5814b49}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{efe869fc-5841-55f1-aa56-82c7219aaa09}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e44ea1df-bb85-5a8c-bddc-c8e960c355c9}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8cbd762a-1222-5ee5-b745-489e7a42c6ec}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces\\DefaultStart", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivationType", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Server", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\DllPath", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Threading", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\TrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\RemoteServer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateAsUser", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInSharedBroker", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInBrokerForMediumILContainer", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Permissions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalService", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RunAs", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateAtStorage", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ROTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppIDFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\MGOTFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProcessMitigationPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RemoteServerName", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\SRPTrustLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\PreferredServerBitness", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LoadUserSettings", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProtectionLevel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AccessPermission", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppID", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}\\ProxyStubClsid32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\ActivateOnHostFlags", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\InprocServer32", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\ThreadingModel", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\AppID" ], "write_keys": [ "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences" ], "delete_keys": [ "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences" ], "executed_commands": [ "\"C:\\Windows\\system32\\taskmgr.exe\" /4", "%SystemRoot%\\system32\\taskmgr.exe /4", "C:\\Windows\\system32\\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}", "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler \"--database=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=148.0.7778.180 \"--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=148.0.3967.83 --initial-client-data=0x348,0x34c,0x350,0x344,0x358,0x7ffc32485d58,0x7ffc32485d64,0x7ffc32485d70", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --startup-read-main-dll --metrics-shmem-handle=2252,i,1852722750093770922,12337795973288601513,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2544 /prefetch:3", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --startup-read-main-dll --metrics-shmem-handle=2148,i,10847598894621438095,12789521635842580643,262144 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=2460 /prefetch:2", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --startup-read-main-dll --metrics-shmem-handle=2712,i,12124658266742785438,6673008252034019867,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2552 /prefetch:8", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73085097 --ssd-no-pressure-read-main-dll --metrics-shmem-handle=3520,i,12993274521700679940,8746294588575262201,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708991934122588 --mojo-platform-channel-handle=3556 /prefetch:1", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73086337 --skip-read-main-dll --metrics-shmem-handle=3364,i,8287753549644527570,15394987965169516576,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3564 /prefetch:1", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --skip-read-main-dll --metrics-shmem-handle=5272,i,14100473808991986883,1552638804429653106,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708992871164437 --mojo-platform-channel-handle=5284 /prefetch:8", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --skip-read-main-dll --metrics-shmem-handle=5624,i,11759773399020994037,14274051796553512958,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708993808206286 --mojo-platform-channel-handle=5652 /prefetch:8", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --skip-read-main-dll --metrics-shmem-handle=5016,i,10489045321286890553,3537000843862549641,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708995682289984 --mojo-platform-channel-handle=5084 /prefetch:8", "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window" ], "resolved_apis": [ "ntdll.dll.RtlWow64GetCurrentMachine", "ntdll.dll.RtlWow64IsWowGuestMachineSupported" ], "mutexes": [ "Local\\SM0:7912:304:WilStaging_02", "Local\\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b", "Local\\MSCTF.Asm.MutexDefault1", "CicLoadWinStaWinSta0", "Local\\MSCTF.CtfMonitorInstMutexDefault1", "Local\\SM0:7912:120:WilError_03", "Local\\SessionImmersiveColorMutex", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_32.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_48.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_96.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_256.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_768.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_1920.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_sr.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_exif.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_wide_alternate.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_custom_stream.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!IconCacheInit", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!045bf8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0460e8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0411e8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0420b8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0465d8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!048868", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterMutex", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_16.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_1280.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_2560.db!dfMaintainer", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!049c28", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!046ac8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04a118", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04b4d8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!048d58", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!049248", "Installing", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!046fb8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!0474a8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!049738", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!047998", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04b9c8", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04a608", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!047e88", "Global\\C::Users:admin:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!04afe8", "Local\\SM0:10720:304:WilStaging_02", "Local\\SM0:10720:120:WilError_03", "Local\\SM0:9716:304:WilStaging_02" ], "created_services": [], "started_services": [ "MicrosoftEdgeElevationService" ] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:52,639", "eid": 1, "data": { "file": "user32", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:52,639", "eid": 2, "data": { "file": "D3D10Warp.dll", "pathtofile": null, "moduleaddress": "0x7ffc6e3b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:52,639", "eid": 3, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:52,639", "eid": 4, "data": { "file": "d3d10warp.dll", "pathtofile": null, "moduleaddress": "0x7ffc6e3b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:52,702", "eid": 5, "data": { "file": "SHELL32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:52,702", "eid": 6, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:54,608", "eid": 7, "data": { "file": "C:\\Windows\\System32\\dwmapi.dll", "pathtofile": null, "moduleaddress": "0x7ffc73480000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:56,718", "eid": 8, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:01:56,749", "eid": 9, "data": { "file": "\"C:\\Windows\\system32\\taskmgr.exe\" /4" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:56,749", "eid": 10, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ffc77fd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:56,749", "eid": 11, "data": { "file": "C:\\Windows\\System32\\sfc_os.dll", "pathtofile": null, "moduleaddress": "0x7ffc630f0000" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:01:56,764", "eid": 12, "data": { "file": "%SystemRoot%\\system32\\taskmgr.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,389", "eid": 13, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,389", "eid": 14, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,405", "eid": 15, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,405", "eid": 16, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,405", "eid": 17, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,405", "eid": 18, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,421", "eid": 19, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,514", "eid": 20, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,514", "eid": 21, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,514", "eid": 22, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,530", "eid": 23, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,358", "eid": 24, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,358", "eid": 25, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,358", "eid": 26, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,358", "eid": 27, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,358", "eid": 28, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,389", "eid": 29, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,405", "eid": 30, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,405", "eid": 31, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,421", "eid": 32, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,436", "eid": 33, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,452", "eid": 34, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,468", "eid": 35, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,483", "eid": 36, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,499", "eid": 37, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,514", "eid": 38, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,530", "eid": 39, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,546", "eid": 40, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,546", "eid": 41, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,561", "eid": 42, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,577", "eid": 43, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,593", "eid": 44, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,608", "eid": 45, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,639", "eid": 46, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,671", "eid": 47, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,733", "eid": 48, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,733", "eid": 49, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,733", "eid": 50, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,733", "eid": 51, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,546", "eid": 52, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,452", "eid": 53, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,983", "eid": 54, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,999", "eid": 55, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,014", "eid": 56, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,046", "eid": 57, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,061", "eid": 58, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,093", "eid": 59, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,280", "eid": 60, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,358", "eid": 61, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,358", "eid": 62, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,405", "eid": 63, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,421", "eid": 64, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,436", "eid": 65, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,452", "eid": 66, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,468", "eid": 67, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,577", "eid": 68, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,577", "eid": 69, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,593", "eid": 70, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,593", "eid": 71, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,608", "eid": 72, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,608", "eid": 73, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,639", "eid": 74, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,639", "eid": 75, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,655", "eid": 76, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,655", "eid": 77, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,686", "eid": 78, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,686", "eid": 79, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,702", "eid": 80, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,702", "eid": 81, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,733", "eid": 82, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,733", "eid": 83, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,749", "eid": 84, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,749", "eid": 85, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,764", "eid": 86, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,764", "eid": 87, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,780", "eid": 88, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,780", "eid": 89, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,796", "eid": 90, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,796", "eid": 91, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,811", "eid": 92, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,811", "eid": 93, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,843", "eid": 94, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,843", "eid": 95, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,483", "eid": 96, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,764", "eid": 97, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,764", "eid": 98, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,796", "eid": 99, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,811", "eid": 100, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,827", "eid": 101, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,843", "eid": 102, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,999", "eid": 103, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,014", "eid": 104, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,030", "eid": 105, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,046", "eid": 106, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,061", "eid": 107, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,077", "eid": 108, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,093", "eid": 109, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,108", "eid": 110, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,124", "eid": 111, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,139", "eid": 112, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,155", "eid": 113, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,171", "eid": 114, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,186", "eid": 115, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,202", "eid": 116, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,218", "eid": 117, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,233", "eid": 118, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,249", "eid": 119, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,530", "eid": 120, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,921", "eid": 121, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,608", "eid": 122, "data": { "file": "C:\\Windows\\System32\\wscinterop.dll", "pathtofile": null, "moduleaddress": "0x7ffc601b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,843", "eid": 123, "data": { "file": "C:\\Windows\\System32\\werconcpl.dll", "pathtofile": null, "moduleaddress": "0x7ffc199b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,874", "eid": 124, "data": { "file": "C:\\Windows\\System32\\hcproviders.dll", "pathtofile": null, "moduleaddress": "0x7ffc5faf0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,968", "eid": 125, "data": { "file": "C:\\Windows\\System32\\ieproxy.dll", "pathtofile": null, "moduleaddress": "0x7ffc19860000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,061", "eid": 126, "data": { "file": "Comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,061", "eid": 127, "data": { "file": "wscapi.dll", "pathtofile": null, "moduleaddress": "0x7ffc6a330000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,412", "eid": 128, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 129, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,600", "eid": 130, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "start", "object": "service", "timestamp": "2026-05-28 22:02:05,381", "eid": 131, "data": { "service": "MicrosoftEdgeElevationService" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,006", "eid": 132, "data": { "file": "C:\\Windows\\System32\\rsaenh.dll", "pathtofile": null, "moduleaddress": "0x7ffc746b0000" } }, { "event": "start", "object": "service", "timestamp": "2026-05-28 22:02:41,115", "eid": 133, "data": { "service": "MicrosoftEdgeElevationService" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,115", "eid": 134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 135, "data": { "file": "LPK", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 136, "data": { "file": "GDI32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 137, "data": { "file": "advapi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 138, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ffc77fd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 139, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 140, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 141, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,115", "eid": 142, "data": { "file": "advapi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,131", "eid": 143, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,131", "eid": 144, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,131", "eid": 145, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,146", "eid": 146, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,162", "eid": 147, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,162", "eid": 148, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,162", "eid": 149, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,162", "eid": 150, "data": { "file": "Comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,162", "eid": 151, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,162", "eid": 152, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,162", "eid": 153, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,178", "eid": 154, "data": { "file": "C:\\Windows\\System32\\duser.dll", "pathtofile": null, "moduleaddress": "0x7ffc6aa90000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,178", "eid": 155, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,193", "eid": 156, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ffc730a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,193", "eid": 157, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,193", "eid": 158, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,193", "eid": 159, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-AU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-AU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 166, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences", "content": "\r\\x00\\x00\\x00`\\x00\\x00\\x00`\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\xfd\\x01\\x00\\x00\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x80\\xd8\\x01\\x00\\x80\\xdf\\x01\\x00\\x80\\x00\\x01\\x00\\x01\\xc1\\x01\\x00\\x00,\\x01\\x00\\x00i\\x04\\x00\\x00\\x84\\x03\\x00\\x00\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x89\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x00\\x00\\x00\\x01\\x01P\\x02\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8b\\x90\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x10\\x01\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffx\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8c\\x90\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x12\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8d\\x90\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xaa\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff2\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8a\\x90\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08 \\x01\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xc8\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8e\\x90\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xab\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x04\\x01\\x00\\x00\\x1e\\x00\\x00\\x00\\x8f\\x90\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xab\\xbe\\x14\\xf7\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffI\\x00\\x00\\x00" } }, { "event": "delete", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 167, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,193", "eid": 168, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\UseStatusSetting", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,209", "eid": 169, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,209", "eid": 170, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,209", "eid": 171, "data": { "file": "Comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,209", "eid": 172, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,209", "eid": 173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,209", "eid": 174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,209", "eid": 175, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,209", "eid": 176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,240", "eid": 177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\Disable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,240", "eid": 178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\DataStore_V1.0\\DataFilePath", "content": "C:\\Windows\\Fonts\\staticcache.dat" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,240", "eid": 179, "data": { "file": "C:\\Windows\\Fonts\\StaticCache.dat" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane1", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane2", "content": "SimSun-ExtB" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane3", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane4", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane5", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane6", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane7", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane8", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane9", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane10", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane11", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 191, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane12", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 192, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane13", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 193, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane14", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 194, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane15", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,256", "eid": 195, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Plane16", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,256", "eid": 196, "data": { "file": "C:\\Windows\\system32\\taskmgr.exe", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,256", "eid": 197, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,271", "eid": 198, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OOBE\\LaunchUserOOBE", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,271", "eid": 199, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,271", "eid": 200, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,271", "eid": 201, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76030000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,271", "eid": 202, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,271", "eid": 203, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\EnableAnchorContext", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 204, "data": { "file": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 205, "data": { "file": "ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 206, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 207, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 208, "data": { "file": "user32", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 209, "data": { "file": "ext-ms-win-rtcore-ntuser-integration-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 210, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 211, "data": { "file": "api-ms-win-core-com-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc77b70000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 212, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,287", "eid": 213, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,287", "eid": 214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IsVailContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,303", "eid": 215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\ResyncResetTime", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,303", "eid": 216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Input\\MaxResyncAttempts", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,303", "eid": 217, "data": { "file": "iertutil.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,303", "eid": 218, "data": { "file": "USER32", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,303", "eid": 219, "data": { "file": "C:\\Windows\\System32\\msctf.dll", "pathtofile": null, "moduleaddress": "0x7ffc77400000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,303", "eid": 220, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,303", "eid": 221, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,303", "eid": 222, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\PolicyType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Behavior", "content": "8225" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\MergeAlgorithm", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegKeyPathRedirect", "content": "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegValueNameRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\RegValueNameRedirect", "content": "HideFastUserSwitching" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\WindowsLogon\\HideFastUserSwitching\\Value", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\HideFastUserSwitching", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,350", "eid": 238, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\StartUpTab", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,396", "eid": 239, "data": { "file": "Comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,396", "eid": 240, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 241, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 243, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\DllPath", "content": "C:\\Windows\\System32\\NetworkUXBroker.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Networking.UX.UXManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,396", "eid": 252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,412", "eid": 253, "data": { "file": "C:\\Windows\\System32\\NetworkUXBroker.dll", "pathtofile": null, "moduleaddress": "0x7ffc68f00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,412", "eid": 254, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\Active", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 257, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.DAMediaManager\\MediaType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 258, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\Active", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 259, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.EthernetMediaManager\\MediaType", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\Active", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.MBMediaManager\\MediaType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 262, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\Active", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 263, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.RasMediaManager\\MediaType", "content": "5" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\Active", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,428", "eid": 265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\NetworkUxManager\\Windows.Networking.UX.Internal.WlanMediaManager\\MediaType", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 266, "data": { "file": "srumapi.dll", "pathtofile": null, "moduleaddress": "0x7ffc65120000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 267, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 268, "data": { "file": "atlthunk.dll", "pathtofile": null, "moduleaddress": "0x7ffc65620000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 269, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 270, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 271, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,443", "eid": 272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-AU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,443", "eid": 273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 274, "data": { "file": "api-ms-win-eventing-provider-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,443", "eid": 275, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 276, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 277, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 278, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 279, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 280, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 281, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 282, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 283, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name", "content": "ProgramFilesX86" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 285, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 287, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21817" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 292, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 294, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 295, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 300, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 301, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 302, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 303, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir (x86)", "content": "C:\\Program Files (x86)" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 304, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 305, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Name", "content": "ProgramFilesX64" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 306, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 307, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 308, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 309, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 310, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 311, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 312, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 313, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 314, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 315, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 316, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 317, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 318, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 319, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 320, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 321, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 322, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 323, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 324, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{6D809377-6AF0-444b-8957-A3773F02200E}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 325, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "content": "C:\\Program Files" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 326, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 327, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 328, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 329, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 330, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 331, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 332, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 334, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 335, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 338, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 339, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 340, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 341, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 342, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 343, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 344, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 345, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 346, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 347, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{26460E96-1D01-43E4-9FB8-B7ED958F362B}\\ProxyStubClsid32\\(Default)", "content": "{71A5EC7F-F325-4376-9D94-622C372E256F}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 350, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 351, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "content": "System" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 352, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 353, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 354, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 355, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 357, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 358, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 359, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 361, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 364, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 365, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 366, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 367, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,459", "eid": 368, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 370, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,459", "eid": 371, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,475", "eid": 372, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,475", "eid": 373, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,475", "eid": 374, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,475", "eid": 375, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,475", "eid": 376, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,475", "eid": 377, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,475", "eid": 378, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ffc77fd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,475", "eid": 379, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,475", "eid": 380, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,490", "eid": 381, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,490", "eid": 382, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,490", "eid": 383, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,506", "eid": 384, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,506", "eid": 385, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,506", "eid": 386, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,506", "eid": 387, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 388, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 389, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:57,521", "eid": 390, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 391, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 392, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 393, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 394, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 395, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Name", "content": "ProgramFiles" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21781" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 404, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 413, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 414, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,521", "eid": 416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir", "content": "C:\\Program Files" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 417, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 418, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 419, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 420, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 421, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 422, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 423, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,521", "eid": 424, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,537", "eid": 425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,537", "eid": 426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\InprocServer32\\(Default)", "content": "C:\\Windows\\System32\\WindowsCodecsRaw.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Pattern", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Pattern", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,553", "eid": 429, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Position", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\EndOfStream", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,553", "eid": 432, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\0\\Mask", "content": "\\xff\\xff\\xff\\xff" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Position", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Mask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\1\\Mask", "content": "\\xff\\xff\\xff\\xff" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,553", "eid": 437, "data": { "file": "C:\\Windows\\System32\\WDI\\LogFiles\\StartupInfo\\S-1-5-21-3968686040-3210279463-847977608-1001_StartupInfo5.xml" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Position", "content": "8" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\EndOfStream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Pattern", "content": "MMMMRaw\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Mask", "content": null } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 442, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 443, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\10\\Mask", "content": "\\xff\\xff\\xff\\xff\\x00\\xff\\xff\\xff" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 444, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 445, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run32" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 446, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 447, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\11\\Position", "content": "0" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 448, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\StartupFolder" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 449, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 450, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\StartupFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 451, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Position", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 452, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\EndOfStream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 453, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Pattern", "content": "IIU\\x00\\x18\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 454, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\12\\Mask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 455, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 456, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Name", "content": "Startup" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParentFolder", "content": "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 458, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\RelativePath", "content": "StartUp" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 460, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 461, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 462, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Position", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 463, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21787" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 464, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\EndOfStream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 465, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 466, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 467, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 468, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 469, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\2\\Mask", "content": "\\xff\\xff\\xff\\xff" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 470, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 471, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 472, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 473, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 474, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 475, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 476, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B97D20BB-F46A-4C97-BA10-5E3608430854}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 477, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\3\\Mask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 478, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\3\\Mask", "content": "\\xff\\xff\\xff\\xff" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 479, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Position", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 480, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 481, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", "content": "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 482, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\4\\Mask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 483, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\5\\Mask", "content": "\\xff\\xff\\xff\\xff" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 484, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Name", "content": "Common Startup" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 485, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\Position", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 486, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParentFolder", "content": "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 487, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\6\\EndOfStream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 488, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\RelativePath", "content": "StartUp" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 489, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 490, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 491, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21787" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 492, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 493, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 494, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 496, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 497, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 498, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 499, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Pattern", "content": "FUJIFILM" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 500, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 501, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\7\\Mask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 502, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", "content": "%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 503, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\8\\Position", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 504, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 505, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "content": "%windir%\\system32\\SecurityHealthSystray.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 506, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Pattern", "content": "IIII\\x00waR" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 507, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Mask", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,553", "eid": 508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\\Patterns\\9\\Mask", "content": "\\xff\\xff\\xff\\xff\\x00\\xff\\xff\\xff" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,553", "eid": 509, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 510, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 511, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 512, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Max Cached Icons", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 514, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 515, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 516, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 517, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 518, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,568", "eid": 519, "data": { "file": "C:\\Windows\\System32\\Windows.UI.Immersive.dll", "pathtofile": null, "moduleaddress": "0x7ffc69be0000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 521, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Name", "content": "Local AppData" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 522, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\RelativePath", "content": "AppData\\Local" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 528, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 529, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 531, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\LocalRedirectOnly", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 537, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 539, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 540, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "content": "%USERPROFILE%\\AppData\\Local" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name", "content": "Profile" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 556, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 557, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 558, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 560, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,568", "eid": 561, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,584", "eid": 562, "data": { "file": "advapi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,584", "eid": 563, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,584", "eid": 564, "data": { "file": "USER32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,584", "eid": 565, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "content": "C:\\Users\\admin" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,584", "eid": 566, "data": { "file": "api-ms-win-core-memory-l1-1-2.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,584", "eid": 567, "data": { "file": "NTDLL.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:57,584", "eid": 568, "data": { "file": "C:\\Users\\admin" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,584", "eid": 569, "data": { "file": "OLEAUT32.DLL", "pathtofile": null, "moduleaddress": "0x7ffc77330000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,584", "eid": 570, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:57,584", "eid": 571, "data": { "file": "C:\\Users\\admin\\AppData\\Local" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,584", "eid": 572, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{618736E0-3C3D-11CF-810C-00AA00389B71}\\ProxyStubClsid32\\(Default)", "content": "{03022430-ABC4-11D0-BDE2-00AA001A1953}" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,584", "eid": 573, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\IconCache.db" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 574, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 575, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 576, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 577, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 578, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 579, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,600", "eid": 580, "data": { "file": "comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,600", "eid": 581, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 582, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,600", "eid": 583, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,600", "eid": 584, "data": { "file": "comctl32", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,600", "eid": 585, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,615", "eid": 586, "data": { "file": "Comctl32.dll", "pathtofile": null, "moduleaddress": "0x7ffc61e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,615", "eid": 587, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,615", "eid": 588, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,615", "eid": 589, "data": { "file": "C:\\Windows\\System32\\actxprxy.dll", "pathtofile": null, "moduleaddress": "0x7ffc6edf0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,615", "eid": 590, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,615", "eid": 591, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D782CCBA-AFB0-43F1-94DB-FDA3779EACCB}\\ProxyStubClsid32\\(Default)", "content": "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,631", "eid": 592, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\IconCache.db" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,646", "eid": 593, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\IconCache.db" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,646", "eid": 594, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\UseDefaultTile", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,646", "eid": 595, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 596, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 597, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,662", "eid": 598, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\GlobalAssocChangedCounter", "content": "5" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 599, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 600, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 601, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 602, "data": { "file": "C:\\Windows\\System32\\thumbcache.dll", "pathtofile": null, "moduleaddress": "0x7ffc5f2a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 603, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:57,662", "eid": 604, "data": { "file": "C:\\Users\\admin" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:57,662", "eid": 605, "data": { "file": "C:\\Users\\admin\\AppData\\Local" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 606, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:57,662", "eid": 607, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 608, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 609, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 610, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,662", "eid": 611, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 612, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 613, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "content": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe\" \"C:\\agent.py\"" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 614, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\CAPEAgent", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,678", "eid": 615, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 616, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 617, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 618, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 619, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 620, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 621, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 622, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 623, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 624, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 625, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 626, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 627, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags", "content": "1581568" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 628, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 629, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 630, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 631, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00&\\x00\\xbc\\x12\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 632, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,678", "eid": 633, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,678", "eid": 634, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 635, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00R\\xbd\\xbb\\x88\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 636, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 637, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00&\\x00\\xbc\\x12\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 638, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 639, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x9d\\x7f\\xd7`\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00E\\x00D\\x00D\\x00C\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,678", "eid": 640, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,693", "eid": 641, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x80#\\x00\\x00\\x00\\x07\\x02H\\x01\\xfe\\x00\\x00\\x00\\x11\\x00\\x00\\x00x\\x00'\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00C\\x00S\\x00I\\x00#\\x00C\\x00d\\x00R\\x00o\\x00m\\x00&\\x00V\\x00e\\x00n\\x00_\\x00<\\x00W\\x00O\\x00O\\x00T\\x00>\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00H\\x00L\\x00-\\x00P\\x00Q\\x00-\\x00S\\x00V\\x00_\\x00W\\x00B\\x008\\x00#\\x004\\x00&\\x003\\x005\\x004\\x002\\x004\\x008\\x006\\x007\\x00&\\x000\\x00&\\x000\\x001\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,693", "eid": 642, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,693", "eid": 643, "data": { "file": "C:\\Windows\\System32\\propsys.dll", "pathtofile": null, "moduleaddress": "0x7ffc728f0000" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:57,693", "eid": 644, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Caches" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,693", "eid": 645, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,693", "eid": 646, "data": { "file": "C:\\Users\\desktop.ini" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,693", "eid": 647, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,693", "eid": 648, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,693", "eid": 649, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,693", "eid": 650, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,693", "eid": 651, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 652, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 653, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "content": "$\\x00\\x00\\x004(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 654, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 655, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 656, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 657, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 658, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 659, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 660, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 661, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 662, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 663, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 664, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 665, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 666, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 667, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 668, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 669, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 670, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 671, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 672, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 673, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 674, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 675, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 676, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 677, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 678, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 679, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 680, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 681, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 682, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 683, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\AlwaysShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 684, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 685, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 686, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 687, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe", "content": "program" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 688, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "content": "application/x-msdownload" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,709", "eid": 689, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 690, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 691, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)", "content": "exefile" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 692, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 693, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 694, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 695, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 696, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type", "content": "application/x-msdownload" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 697, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 698, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 699, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 700, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 701, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 702, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,709", "eid": 703, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,709", "eid": 704, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,725", "eid": 705, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SafeProcessSearchMode", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 706, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 707, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 708, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 709, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 710, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 711, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 712, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,725", "eid": 713, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,725", "eid": 714, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,725", "eid": 715, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,725", "eid": 716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 717, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,725", "eid": 718, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:57,725", "eid": 719, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 720, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,725", "eid": 721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegateSuppressionPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,725", "eid": 722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders\\StorageDelegate", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,725", "eid": 723, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,740", "eid": 724, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,740", "eid": 725, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "content": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,740", "eid": 726, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\OneDrive", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 727, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 728, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 729, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 730, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,740", "eid": 731, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,740", "eid": 732, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "content": "\"C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,740", "eid": 733, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Discord", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 734, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 735, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 736, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 737, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 738, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 739, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 740, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 741, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 742, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,740", "eid": 743, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 744, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 745, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 746, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 747, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 748, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,756", "eid": 749, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,756", "eid": 750, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,756", "eid": 751, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 752, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 753, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 754, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 755, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 756, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 757, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,756", "eid": 758, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,756", "eid": 759, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,771", "eid": 760, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,771", "eid": 761, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 762, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 763, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 764, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 765, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 766, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 767, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 768, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 769, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 770, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 771, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 772, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 773, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 774, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 775, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 776, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 777, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 778, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 779, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 780, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 781, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,771", "eid": 782, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 783, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,771", "eid": 784, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,771", "eid": 785, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,771", "eid": 786, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,771", "eid": 787, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 788, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 789, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 790, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 791, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 792, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 793, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 794, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 795, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 796, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 797, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,787", "eid": 798, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,787", "eid": 799, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "content": "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,787", "eid": 800, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Steam", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 801, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 802, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 803, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 804, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 805, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 806, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 807, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 808, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 809, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 810, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 811, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,787", "eid": 812, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 813, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,787", "eid": 814, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 815, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 816, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 817, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 818, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 819, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 820, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 821, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 822, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 823, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 824, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 825, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 826, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 827, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 828, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 829, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 830, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 831, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 832, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 833, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 834, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,803", "eid": 835, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 836, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,803", "eid": 837, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 838, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 839, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 840, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 841, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,818", "eid": 842, "data": { "file": "C:\\Program Files (x86)\\desktop.ini" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 843, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 844, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 845, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 846, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,818", "eid": 847, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,818", "eid": 848, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:57,818", "eid": 849, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 850, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 851, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 852, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\DllPath", "content": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 853, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 854, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 855, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 856, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateAsUser", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 857, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 858, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 859, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,818", "eid": 860, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,818", "eid": 861, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 862, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 863, "data": { "file": "C:\\Windows\\System32\\Windows.ApplicationModel.dll", "pathtofile": null, "moduleaddress": "0x7ffc63700000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 864, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 865, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\automatedAppLaunch", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 866, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\automatedAppLaunch", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 867, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 868, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 869, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\DllPath", "content": "C:\\Windows\\System32\\combase.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 870, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 871, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 872, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 873, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 874, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 875, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 876, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 877, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 878, "data": { "file": "C:\\Windows\\System32\\combase.dll", "pathtofile": null, "moduleaddress": "0x7ffc77b70000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 879, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 880, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 881, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 882, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 883, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 884, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 885, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 886, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 887, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 888, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 889, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 890, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 891, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 892, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 893, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 894, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 895, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 896, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 897, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 898, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 899, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "content": "nt authority\\system" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 900, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 901, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 902, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 903, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 904, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 905, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 906, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 907, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 908, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 909, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 910, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 911, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 912, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 913, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 914, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 915, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 916, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 917, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 918, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 919, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 920, "data": { "file": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", "pathtofile": null, "moduleaddress": "0x7ffc665a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,834", "eid": 921, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,834", "eid": 922, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 923, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 924, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 925, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 926, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 927, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 928, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 929, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 930, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 931, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 932, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 933, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 934, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,850", "eid": 935, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 936, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 937, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 938, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 939, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 940, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 941, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 942, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 943, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,850", "eid": 944, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 945, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 946, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 947, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 948, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 949, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 950, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 951, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 952, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 953, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 954, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 955, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,865", "eid": 956, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,881", "eid": 957, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,975", "eid": 958, "data": { "file": "C:\\Windows\\System32\\appresolver.dll", "pathtofile": null, "moduleaddress": "0x7ffc610f0000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 959, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 960, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": "\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 961, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation", "content": "12" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 962, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Category", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 963, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Name", "content": "AppsFolder" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 964, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 965, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 966, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 967, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\ParsingName", "content": "shell:::{4234d49b-0245-4df3-b780-3893943456e1}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 968, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 969, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 970, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 971, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 972, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 973, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 974, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 975, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 976, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 977, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 978, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 979, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 980, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 981, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 982, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1e87508d-89c2-42f0-8a7e-645a0f50ca58}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,975", "eid": 983, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 984, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 985, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\SortOrderIndex", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 986, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\Attributes", "content": "537919488" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 987, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\CallForAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 988, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\RestrictedAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 989, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\ShellFolder\\FolderValueFlags", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 990, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{4234D49B-0245-4DF3-B780-3893943456E1}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 991, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\PreXPSP2ShellProtocolBehavior", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 992, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 993, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 994, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\appresolver.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 995, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\LoadWithoutCOM", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 996, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ffc77fd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 997, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 998, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\LogFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 999, "data": { "file": "api-ms-win-eventing-provider-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1000, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{4234d49b-0245-4df3-b780-3893943456e1}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\appresolver.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 1001, "data": { "file": "appresolver.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1002, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF", "content": "\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x13\\xde\\x02\\xb0\\xb6\\xee\\xdc\\x01" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1003, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1004, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": "\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1005, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation", "content": "12" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1006, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1007, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1008, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\DllPath", "content": "C:\\Windows\\System32\\TileDataRepository.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1009, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1010, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1011, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1012, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1013, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1014, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1015, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:57,990", "eid": 1016, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 1017, "data": { "file": "C:\\Windows\\System32\\TileDataRepository.dll", "pathtofile": null, "moduleaddress": "0x7ffc61260000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:57,990", "eid": 1018, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,006", "eid": 1019, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1020, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1021, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1022, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1023, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1024, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1025, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1026, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1027, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1028, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1029, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1030, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1031, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1032, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1033, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1034, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1035, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1036, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1037, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1038, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1039, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1040, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1041, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1042, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1043, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1044, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1045, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1046, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1047, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\DllPath", "content": "C:\\Windows\\System32\\TileDataRepository.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1048, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1049, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1050, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1051, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1052, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1053, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1054, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1055, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileQueryFilter\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1056, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1057, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1058, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1059, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1060, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1061, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1062, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1063, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1064, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1065, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1066, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileViewQueryFilter\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1067, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e3dd5d31-892e-4ad6-9ce9-8fe1f185047b}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1068, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6a905a4b-cd66-5c7c-ab57-f5eb16c97257}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1069, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2be22368-4c98-5e9f-ac2b-de493c0c3e43}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1070, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{f502008f-7a0e-5757-8e65-ebad2e5a0e21}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1071, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{19ad9e30-89f3-48f6-9c50-e34a59494544}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1072, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8a43ed9f-f4e6-4421-acf9-1dab2986820c}\\ProxyStubClsid32\\(Default)", "content": "{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1073, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1074, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1075, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": "Ptype_PSFactory" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1076, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1077, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1078, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1079, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1080, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1081, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1082, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\(Default)", "content": "Ptype_PSFactory" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1083, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1084, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1085, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1086, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1087, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,006", "eid": 1088, "data": { "file": "C:\\Windows\\System32\\WinTypes.dll", "pathtofile": null, "moduleaddress": "0x7ffc71ec0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,006", "eid": 1089, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1090, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1091, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1092, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1093, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1094, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1095, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,006", "eid": 1096, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{1b0d3570-0877-5ec2-8a2c-3b9539506aca}\\ProxyStubClsid32\\(Default)", "content": "{11659a23-5884-4d1b-9cf6-67d6f4f90b36}" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,021", "eid": 1097, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ffc77fd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,021", "eid": 1098, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1099, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.3636_neutral_neutral_cw5n1h2txyewy\\PackageStatus", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,021", "eid": 1100, "data": { "file": "C:\\Windows\\System32\\MrmCoreR.dll", "pathtofile": null, "moduleaddress": "0x7ffc6a120000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags", "content": "1032" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\DllPath", "content": "C:\\Windows\\System32\\Windows.UI.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1111, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,021", "eid": 1116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Core.CoreWindow\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,021", "eid": 1117, "data": { "file": "C:\\Windows\\System32\\Windows.UI.dll", "pathtofile": null, "moduleaddress": "0x7ffc69fd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,021", "eid": 1118, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,037", "eid": 1119, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,037", "eid": 1120, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,037", "eid": 1121, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,037", "eid": 1122, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1123, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1124, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1125, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1126, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FrameMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1127, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\SessionMerging", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1129, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1131, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Security\\RunBinaryControlHostProcessInSeparateAppContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1133, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1135, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1138, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1139, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1142, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1143, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1144, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1145, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1146, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": "\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,037", "eid": 1147, "data": { "file": "bcrypt.dll", "pathtofile": null, "moduleaddress": "0x7ffc75e00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,037", "eid": 1148, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags", "content": "1032" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,037", "eid": 1153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,053", "eid": 1166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8da928c9-4266-55d4-947a-48be47300831}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,053", "eid": 1167, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,053", "eid": 1168, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,068", "eid": 1169, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,068", "eid": 1170, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1175, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.Windows.Search_1.14.10.19041_neutral_neutral_cw5n1h2txyewy\\PackageStatus", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags", "content": "1032" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,068", "eid": 1181, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Accent\\AccentPalette", "content": "\\xa6\\xd8\\xff\\x00v\\xb9\\xed\\x00B\\x9c\\xe3\\x00\\x00x\\xd7\\x00\\x00Z\\x9e\\x00\\x00Bu\\x00\\x00&B\\x00\\xf7c\\x0c\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,084", "eid": 1182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,084", "eid": 1183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,084", "eid": 1184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,084", "eid": 1185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags", "content": "1032" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,084", "eid": 1186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,084", "eid": 1187, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,084", "eid": 1188, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,084", "eid": 1189, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,084", "eid": 1190, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,084", "eid": 1191, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1192, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1193, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1194, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1195, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1196, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1197, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1198, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1199, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1200, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1201, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1202, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1203, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1204, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1205, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,100", "eid": 1206, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1207, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1208, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1209, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1210, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1211, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1212, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1213, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1214, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1215, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1216, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1217, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,115", "eid": 1218, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1223, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\MicrosoftWindows.Client.CBS_1000.19053.1000.0_x64__cw5n1h2txyewy\\PackageStatus", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\Flags", "content": "8913992" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,131", "eid": 1228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1229, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1230, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1231, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1232, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1233, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1234, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1235, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,131", "eid": 1236, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1237, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1238, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1239, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1240, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1241, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1242, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1243, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,146", "eid": 1244, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\Flags", "content": "8913992" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\22\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\Flags", "content": "1032" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1a\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\PackageOrigin", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1257, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1258, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\Flags", "content": "1032" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,146", "eid": 1259, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\1f\\InstalledLocation", "content": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,162", "eid": 1260, "data": { "file": "api-ms-win-security-systemfunctions-l1-1-0", "pathtofile": null, "moduleaddress": "0x7ffc771e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,162", "eid": 1261, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:58,162", "eid": 1262, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,162", "eid": 1263, "data": { "file": "C:\\Windows\\System32\\windowscodecs.dll", "pathtofile": null, "moduleaddress": "0x7ffc701e0000" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,162", "eid": 1264, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,162", "eid": 1265, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,162", "eid": 1266, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,162", "eid": 1267, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,162", "eid": 1268, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,162", "eid": 1269, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,162", "eid": 1270, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,178", "eid": 1271, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,178", "eid": 1272, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,178", "eid": 1273, "data": { "file": "C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,178", "eid": 1274, "data": { "file": "C:\\Users\\admin" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,178", "eid": 1275, "data": { "file": "C:\\Users\\admin\\AppData\\Local" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,178", "eid": 1276, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,225", "eid": 1277, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,225", "eid": 1278, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,225", "eid": 1279, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,225", "eid": 1280, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,225", "eid": 1281, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,225", "eid": 1282, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,240", "eid": 1283, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,240", "eid": 1284, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,240", "eid": 1285, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,240", "eid": 1286, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,256", "eid": 1287, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,256", "eid": 1288, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,256", "eid": 1289, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,256", "eid": 1290, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,271", "eid": 1291, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,271", "eid": 1292, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,271", "eid": 1293, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,271", "eid": 1294, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,271", "eid": 1295, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,271", "eid": 1296, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,271", "eid": 1297, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,271", "eid": 1298, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,271", "eid": 1299, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,287", "eid": 1300, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,287", "eid": 1301, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,287", "eid": 1302, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,287", "eid": 1303, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,287", "eid": 1304, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,287", "eid": 1305, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,287", "eid": 1306, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,287", "eid": 1307, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,287", "eid": 1308, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1309, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1310, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1311, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1312, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1313, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1314, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1315, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1316, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1317, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1318, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,303", "eid": 1319, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,303", "eid": 1320, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,303", "eid": 1321, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1322, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1323, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1324, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1325, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1326, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1327, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1328, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1329, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1330, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1331, "data": { "file": "C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\Assets\\SquareLogo44x44.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1332, "data": { "file": "C:\\Windows\\System32\\RuntimeBroker.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,318", "eid": 1333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,318", "eid": 1334, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,334", "eid": 1335, "data": { "file": "user32", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\IdType", "content": "String" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1338, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1339, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\Transport", "content": "IOCTL" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1340, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\QueryFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1341, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\QueryFile", "content": "\\Device\\DeviceApi\\Dev\\Query" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1342, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\NoStateFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1343, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\1\\NoStateFile", "content": "\\Device\\DeviceApi\\Dev\\NoState" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1344, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1345, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\IdType", "content": "String" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1346, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1347, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\Transport", "content": "LRPC" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\UUID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\10\\UUID", "content": "289e5e0f-414a-4de9-8d17-244507fffc07" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1350, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1351, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\IdType", "content": "String" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1352, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1353, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\Transport", "content": "IOCTL" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1354, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\QueryFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1355, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\QueryFile", "content": "\\Device\\DeviceApi\\Dev\\Query" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\NoStateFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1357, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\11\\NoStateFile", "content": "\\Device\\DeviceApi\\Dev\\NoState" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1358, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1359, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\IdType", "content": "Uuid" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1361, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\Transport", "content": "IOCTL" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\QueryFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\QueryFile", "content": "\\Device\\DeviceApi\\Dev\\Query" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1364, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\NoStateFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1365, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\2\\NoStateFile", "content": "\\Device\\DeviceApi\\Dev\\NoState" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1366, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1367, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\IdType", "content": "String" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1368, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\Transport", "content": "IOCTL" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1370, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\QueryFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1371, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\QueryFile", "content": "\\Device\\DeviceApi\\Dev\\Query" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1372, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\3\\NoStateFile", "content": "\\Device\\DeviceApi\\Dev\\NoState" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1373, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\IdType", "content": "Uuid" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1374, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\Transport", "content": "IOCTL" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1375, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\QueryFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1376, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\QueryFile", "content": "\\Device\\DeviceApi\\Dev\\Query" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1377, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\NoStateFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1378, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\4\\NoStateFile", "content": "\\Device\\DeviceApi\\Dev\\NoState" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1379, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1380, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\IdType", "content": "String" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1381, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1382, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\Transport", "content": "LRPC" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1383, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\UUID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1384, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\5\\UUID", "content": "289e5e0f-414a-4de9-8d17-244507fffc07" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1385, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1386, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\IdType", "content": "Uuid" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1387, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1388, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\Transport", "content": "LRPC" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1389, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\UUID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\6\\UUID", "content": "289e5e0f-414a-4de9-8d17-244507fffc07" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1391, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\IdType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1392, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\IdType", "content": "Uuid" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1394, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\Transport", "content": "IOCTL" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1395, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\QueryFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\QueryFile", "content": "\\Device\\DeviceApi\\Dev\\Query" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\NoStateFile", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\7\\NoStateFile", "content": "\\Device\\DeviceApi\\Dev\\NoState" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,334", "eid": 1399, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\IdType", "content": "String" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\Transport", "content": "InProc" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DllName", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,334", "eid": 1404, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DevQueryEntry", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\8\\DevQueryEntry", "content": "DevQueryEntry" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\IdType", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,334", "eid": 1408, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\Transport", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\Transport", "content": "InProc" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DllName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DllName", "content": "C:\\Windows\\System32\\DevDispItemProvider.dll" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,334", "eid": 1413, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1414, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DevQueryEntry", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,334", "eid": 1415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\DevQuery\\9\\DevQueryEntry", "content": "DevQueryEntry" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,334", "eid": 1416, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,334", "eid": 1417, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\Assets\\Icons\\AppListIcon.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,350", "eid": 1418, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,350", "eid": 1419, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,350", "eid": 1420, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,350", "eid": 1421, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,350", "eid": 1422, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,350", "eid": 1423, "data": { "file": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\Assets\\SmallLogo.scale-100.png" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1424, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Counter", "content": "9884" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Help", "content": "9885" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ProviderName", "content": "DdmCounterProvider" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\ApplicationIdentity", "content": "%SystemRoot%\\system32\\mprddm.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\InstanceType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1432, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\NameResource", "content": "101" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\ExplainResource", "content": "103" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\First Counter", "content": "4776" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\Last Counter", "content": "4786" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1437, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterBlock", "content": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00k\\x00\\x00\\x00i\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00o\\x00\\x00\\x00m\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00s\\x00\\x00\\x00q\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00w\\x00\\x00\\x00u\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00{\\x00\\x00\\x00y\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{16fa106f-26c3-42a5-982b-400779ea8970}\\{a4b0515f-2c2f-4fc4-87f5-b3a3a8747225}\\CounterCount", "content": "5" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ProviderName", "content": "VidPerfProvider" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1442, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1443, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\ApplicationIdentity", "content": "vid.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1444, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1445, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\NameResource", "content": "30028" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1446, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\ExplainResource", "content": "30030" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1447, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\First Counter", "content": "1914" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1448, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\Last Counter", "content": "2910" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1449, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1450, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterBlock", "content": "\\x10\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x8cu\\x00\\x00\\x8eu\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08v\\x00\\x00\nv\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x001\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10v\\x00\\x00\\x12v\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x002\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\xfe\\x00\\x00`\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x003\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00^\\xfe\\x00\\x00\\\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x004\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00Z\\xfe\\x00\\x00X\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x005\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00V\\xfe\\x00\\x00T\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x006\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00R\\xfe\\x00\\x00P\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x007\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00N\\xfe\\x00\\x00L\\xfe\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x008\\x00\\x00\\x00\\x00\\x01\\x01\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1451, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{1ffc4a37-aabd-49e0-8b3d-fce8b099febb}\\{d049a97f-9f42-4c11-ad73-5d8c68b30258}\\CounterCount", "content": "498" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1452, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1453, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1454, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1455, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\ApplicationIdentity", "content": "WsmRes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1456, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1458, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\First Counter", "content": "3432" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1460, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\Last Counter", "content": "3446" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1461, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1462, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterBlock", "content": "\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1463, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{20fe1a3a-af21-413c-8a7b-b7fbf6c9a059}\\{8a922684-7993-4b38-9929-b7366f01ec4a}\\CounterCount", "content": "7" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1464, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1465, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1466, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ProviderName", "content": "PeerDistSvc" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1467, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1468, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\ApplicationIdentity", "content": "PeerDistSvc.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1469, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\InstanceType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1470, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1471, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1472, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\First Counter", "content": "9568" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1473, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\Last Counter", "content": "9614" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1474, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1475, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterBlock", "content": "\\x01\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x01\\x01\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1476, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2538387c-08b7-44b8-86d3-47f59cf6d056}\\{2538387c-08b7-44b8-86d3-47f59cf6d057}\\CounterCount", "content": "23" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1477, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1478, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1479, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1480, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\ApplicationIdentity", "content": "%SystemRoot%\\System32\\wevtsvc.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1481, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\InstanceType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1482, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\NameResource", "content": "102" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1483, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\ExplainResource", "content": "100" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1484, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\First Counter", "content": "4006" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1485, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\Last Counter", "content": "4018" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1486, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1487, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterBlock", "content": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00j\\x00\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00n\\x00\\x00\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00z\\x00\\x00\\x00x\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00r\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00v\\x00\\x00\\x00t\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00~\\x00\\x00\\x00|\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1488, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2a32a3f9-ee0c-40ff-8a75-e1e747d15b1f}\\{d11168c5-9f29-43bc-9269-0548637a62b0}\\CounterCount", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1489, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1490, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1491, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1492, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\ApplicationIdentity", "content": "%SystemRoot%\\system32\\drivers\\tcpip.sys" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1493, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1494, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NameResource", "content": "2000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\ExplainResource", "content": "2002" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1496, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\First Counter", "content": "5484" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1497, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\Last Counter", "content": "5496" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1498, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1499, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\NeutralName", "content": "Network QoS Policy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1500, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1501, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\xd4\\x07\\x00\\x00\\xd6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\xd8\\x07\\x00\\x00\\xda\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfa\\xff\\xff\\xff\\xdc\\x07\\x00\\x00\\xde\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\xe0\\x07\\x00\\x00\\xe2\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x07\\x00\\x00\\xe6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x07\\x00\\x00\\xea\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1502, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ccb0d8d-ea94-4235-986b-c97f61f63969}\\{ef82017e-50e2-4ca2-b9ec-b9895ab70e08}\\CounterCount", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1503, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1504, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1505, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1506, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\ApplicationIdentity", "content": "%windir%\\system32\\appvetwclientres.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1507, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\NameResource", "content": "102" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1509, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\ExplainResource", "content": "100" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1510, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\First Counter", "content": "9504" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1511, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\Last Counter", "content": "9506" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1512, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterBlock", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00j\\x00\\x00\\x00h\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1514, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{2ea0b998-e7e8-41c6-8abc-093083ea21d7}\\{687d8f80-ffea-4de5-a41f-3e1c83378839}\\CounterCount", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1515, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1516, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1517, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1518, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\ApplicationIdentity", "content": "%systemroot%\\system32\\drivers\\mrxsmb.sys" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1519, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1521, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1522, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\First Counter", "content": "5400" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\Last Counter", "content": "5466" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\NeutralName", "content": "SMB Client Shares" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterBlock", "content": "\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x05\\x02@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x05\\x02@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00+\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x00\\x00\\x00/\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x02\\x04\\x03@" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1528, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{31a5ebe2-c765-490a-937c-b0ab2787fe15}\\{c73dfef0-11b8-4a3f-a1ad-0dcbbc5186ef}\\CounterCount", "content": "33" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1529, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1531, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ProviderName", "content": "Microsoft-Windows-W32Time-Perf" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\ApplicationIdentity", "content": "%systemroot%\\system32\\w32time.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\InstanceType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1537, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\First Counter", "content": "5468" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\Last Counter", "content": "5482" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1539, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterBlock", "content": "\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\xfd\\xff\\xff\\xff\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x00\\x05A\\x10\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3817cb9c-49a8-436b-bc29-5518877d3c3a}\\{82fa211f-e7f8-4ab5-a04c-cc523073b971}\\CounterCount", "content": "7" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\ApplicationIdentity", "content": "%SystemRoot%\\system32\\advapi32res.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NameResource", "content": "309" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\ExplainResource", "content": "311" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\First Counter", "content": "3702" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,350", "eid": 1550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\Last Counter", "content": "3786" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\NeutralName", "content": "SynchronizationNuma" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x01\\x00\\x00;\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x01\\x00\\x00?\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x01\\x00\\x00C\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\x01\\x00\\x00G\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00I\\x01\\x00\\x00K\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x01\\x00\\x00O\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Q\\x01\\x00\\x00S\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00U\\x01\\x00\\x00W\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x01\\x00\\x00[\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x04A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{2f66fd0a-9f6c-4d91-9f2f-2a1b5e41b7dc}\\CounterCount", "content": "42" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1556, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1557, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NameResource", "content": "85" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1558, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\ExplainResource", "content": "87" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\First Counter", "content": "3590" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1560, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\Last Counter", "content": "3674" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1561, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1562, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\NeutralName", "content": "Synchronization" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1563, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1564, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x00\\x00\\x00[\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x00\\x00\\x00_\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00\\x00\\x00c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x00\\x00g\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00\\x00\\x00k\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00\\x00\\x00o\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00q\\x00\\x00\\x00s\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00u\\x00\\x00\\x00w\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x00\\x00\\x00{\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x04A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1565, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{370e979a-377a-4f30-b2c4-9a0fd072890b}\\CounterCount", "content": "42" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1566, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\InstanceType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1567, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NameResource", "content": "257" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1568, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\ExplainResource", "content": "259" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1569, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\First Counter", "content": "3676" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1570, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\Last Counter", "content": "3688" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1571, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1572, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\NeutralName", "content": "Event Tracing for Windows" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1573, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1574, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x01\\x00\\x00\\x07\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x01\\x00\\x00\\x0b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x01\\x00\\x00\\x0f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x01\\x00\\x00\\x13\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x01\\x00\\x00\\x17\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x01\\x00\\x00\\x1b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1575, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{42cd0051-9dd9-4fe2-8db9-d37885d2d749}\\CounterCount", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1576, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1577, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NameResource", "content": "503" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1578, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\ExplainResource", "content": "501" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1579, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\First Counter", "content": "3794" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1580, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\Last Counter", "content": "3802" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1581, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1582, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\NeutralName", "content": "Thermal Zone Information" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1583, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1584, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\x01\\x00\\x00\\xf9\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\xfd\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x02\\x00\\x00\\x05\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1585, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{52bc5412-dac2-449c-8bc2-96443888fe6b}\\CounterCount", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1586, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1587, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1588, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1589, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\First Counter", "content": "3518" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1590, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\Last Counter", "content": "3588" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1591, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1592, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\NeutralName", "content": "Processor Information" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1593, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1594, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x05Q!\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x05Q " } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1595, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{b4fc721a-0378-476f-89ba-a5a79f810b36}\\CounterCount", "content": "35" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1596, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1597, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NameResource", "content": "285" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1598, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\ExplainResource", "content": "287" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1599, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\First Counter", "content": "3690" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1600, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\Last Counter", "content": "3700" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1601, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1602, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\NeutralName", "content": "Event Tracing for Windows Session" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1603, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1604, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x01\\x00\\x00#\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x01\\x00\\x00'\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x01\\x00\\x00+\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x01\\x00\\x00/\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x01\\x00\\x003\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1605, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{ed83b00b-6afd-4063-9420-16fe0fa3b36f}\\CounterCount", "content": "5" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1606, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1607, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NameResource", "content": "483" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1608, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\ExplainResource", "content": "481" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1609, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\First Counter", "content": "3788" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1610, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\Last Counter", "content": "3792" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1611, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1612, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\NeutralName", "content": "FileSystem Disk Activity" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1613, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1614, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe7\\x01\\x00\\x00\\xe5\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x01\\x00\\x00\\xe9\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1615, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{383487a6-3676-4870-a4e7-d45b30c35629}\\{f596750d-b109-4247-a62f-dea47a46e505}\\CounterCount", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1616, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1617, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1618, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1619, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\ApplicationIdentity", "content": "%SystemRoot%\\system32\\drivers\\ndis.sys" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1620, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1621, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NameResource", "content": "911" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1622, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\ExplainResource", "content": "913" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1623, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\First Counter", "content": "3060" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1624, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\Last Counter", "content": "3086" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1625, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1626, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\NeutralName", "content": "PacketDirect EC Utilization" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1627, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1628, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterBlock", "content": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9f\\x03\\x00\\x00\\xa1\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\x03\\x00\\x00\\xad\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xaf\\x03\\x00\\x00\\xb1\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb3\\x03\\x00\\x00\\xb5\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb7\\x03\\x00\\x00\\xb9\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x01\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x04\\xc2 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbb\\x03\\x00\\x00\\xbd\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x05G \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf\\x03\\x00\\x00\\xc1\\x03\\x00\\x00\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x05G " } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1629, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{2617bf8d-bedc-4231-b92b-1dd2d34ee225}\\CounterCount", "content": "13" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1630, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1631, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NameResource", "content": "301" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1632, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\ExplainResource", "content": "303" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1633, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\First Counter", "content": "2992" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1634, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\Last Counter", "content": "3012" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1635, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1636, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\NeutralName", "content": "RDMA Activity" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1637, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1638, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x01\\x00\\x003\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x005\\x01\\x00\\x007\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x01\\x00\\x00;\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x01\\x00\\x00?\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x01\\x00\\x00C\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x95\\x01\\x00\\x00\\x97\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x99\\x01\\x00\\x00\\x9b\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x9d\\x01\\x00\\x00\\x9f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa1\\x01\\x00\\x00\\xa3\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x00\\x05A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1639, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{4ad2297e-ee20-42b4-9cb7-13f6f1598dbd}\\CounterCount", "content": "10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1640, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1641, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NameResource", "content": "841" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1642, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\ExplainResource", "content": "843" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1643, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\First Counter", "content": "3036" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1644, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\Last Counter", "content": "3048" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1645, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1646, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\NeutralName", "content": "PacketDirect Receive Counters" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1647, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1648, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00M\\x03\\x00\\x00O\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00Q\\x03\\x00\\x00S\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00U\\x03\\x00\\x00W\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x03\\x00\\x00[\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x03\\x00\\x00_\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x03\\x00\\x00c\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1649, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{59ceb84f-55ff-48c0-80cc-df0068501814}\\CounterCount", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1650, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1651, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NameResource", "content": "981" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1652, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\ExplainResource", "content": "983" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1653, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\First Counter", "content": "3088" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1654, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\Last Counter", "content": "3092" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1655, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1656, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\NeutralName", "content": "PacketDirect Queue Depth" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1657, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1658, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\x03\\x00\\x00\\xdb\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdd\\x03\\x00\\x00\\xdf\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1659, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{882d9f58-d338-4a83-bc3d-23f5b0a98fa9}\\CounterCount", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1660, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1661, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NameResource", "content": "77" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1662, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\ExplainResource", "content": "79" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1663, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\First Counter", "content": "2964" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1664, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\Last Counter", "content": "2990" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1665, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1666, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\NeutralName", "content": "Per Processor Network Activity Cycles" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1667, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1668, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Q\\x00\\x00\\x00S\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00U\\x00\\x00\\x00W\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00Y\\x00\\x00\\x00[\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00]\\x00\\x00\\x00_\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00a\\x00\\x00\\x00c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00e\\x00\\x00\\x00g\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00\\x00\\x00k\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00\\x00\\x00o\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00q\\x00\\x00\\x00s\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1669, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{987a3601-c362-48e4-a856-e28f070efb07}\\CounterCount", "content": "13" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1670, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1671, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1672, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1673, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\First Counter", "content": "2912" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1674, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\Last Counter", "content": "2962" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1675, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1676, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\NeutralName", "content": "Per Processor Network Interface Card Activity" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1677, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1678, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x05A\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x83\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x00\\x05A\\x10\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x85\\x00\\x00\\x00\\x87\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x93\\x00\\x00\\x00\\x91\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1679, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa205-c3ed-4acd-a911-6554d156b095}\\CounterCount", "content": "25" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1680, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1681, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NameResource", "content": "801" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1682, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\ExplainResource", "content": "803" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1683, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\First Counter", "content": "3014" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1684, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\Last Counter", "content": "3024" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1685, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1686, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\NeutralName", "content": "Physical Network Interface Card Activity" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1687, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1688, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x03\\x00\\x00'\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05Q \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00)\\x03\\x00\\x00+\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05\\x02 \\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00-\\x03\\x00\\x00/\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x001\\x03\\x00\\x003\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1689, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{9acaa206-c3ed-4acd-a911-6554d156b095}\\CounterCount", "content": "5" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1690, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1691, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NameResource", "content": "821" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1692, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\ExplainResource", "content": "823" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1693, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\First Counter", "content": "3026" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1694, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\Last Counter", "content": "3034" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1695, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1696, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\NeutralName", "content": "PacketDirect Transmit Counters" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1697, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1698, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x009\\x03\\x00\\x00;\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00=\\x03\\x00\\x00?\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00A\\x03\\x00\\x00C\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00E\\x03\\x00\\x00G\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1699, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c0fe4189-5cfa-4659-9eba-10541cc395a0}\\CounterCount", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1700, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1701, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NameResource", "content": "869" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1702, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\ExplainResource", "content": "871" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1703, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\First Counter", "content": "3050" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1704, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\Last Counter", "content": "3058" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1705, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1706, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\NeutralName", "content": "PacketDirect Receive Filters" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1707, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1708, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x03\\x00\\x00k\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00o\\x03\\x00\\x00q\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00s\\x03\\x00\\x00u\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00w\\x03\\x00\\x00y\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1709, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3def464b-f31b-4117-8fb7-bb829a0e1a15}\\{c5a19aba-349b-49cc-94c8-f36404082727}\\CounterCount", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1710, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1711, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1712, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ProviderName", "content": "Distributed Routing Table Perf" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1713, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1714, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\ApplicationIdentity", "content": "drt.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1715, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1717, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1718, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\First Counter", "content": "4020" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1719, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\Last Counter", "content": "4072" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1720, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterBlock", "content": "\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1d\\x00\\x00\\x00\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\x00\\x00\\x00#\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x04A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{3e785595-30c2-437d-96ed-677d14724610}\\{6ca1716d-53cd-468a-a1b3-59032c19c166}\\CounterCount", "content": "26" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1723, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1724, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1725, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1726, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\ApplicationIdentity", "content": "%SystemRoot%\\system32\\drivers\\usbxhci.sys" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1727, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1728, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NameResource", "content": "201" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1729, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\ExplainResource", "content": "203" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1730, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\First Counter", "content": "3980" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1731, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\Last Counter", "content": "3988" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1732, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1733, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\NeutralName", "content": "XHCI CommonBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1734, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1735, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcd\\x00\\x00\\x00\\xcf\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd1\\x00\\x00\\x00\\xd3\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd5\\x00\\x00\\x00\\xd7\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\x00\\x00\\x00\\xdb\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1736, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{c3cf1c57-275d-4b71-a5a6-e4e90401b821}\\CounterCount", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1737, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1738, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NameResource", "content": "101" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1739, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\ExplainResource", "content": "103" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1740, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\First Counter", "content": "3990" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1741, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\Last Counter", "content": "4004" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1742, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1743, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\NeutralName", "content": "XHCI TransferRing" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1744, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1745, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00i\\x00\\x00\\x00k\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00m\\x00\\x00\\x00o\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00q\\x00\\x00\\x00s\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00u\\x00\\x00\\x00w\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00y\\x00\\x00\\x00{\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00}\\x00\\x00\\x00\\x7f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x81\\x00\\x00\\x00\\x83\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1746, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{e363bd27-bfbd-4581-a142-ecc006a7b82b}\\CounterCount", "content": "7" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1747, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1748, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1749, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1750, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\First Counter", "content": "3966" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1751, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\Last Counter", "content": "3978" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1752, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1753, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\NeutralName", "content": "XHCI Interrupter" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1754, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1755, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x04A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05\\x02@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x02\\x04\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1756, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{408443b2-2164-418a-ad52-c761f93310f3}\\{f961fa1c-6b9b-4d16-b414-499ed1f6d6f2}\\CounterCount", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1757, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1758, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1759, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1760, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\ApplicationIdentity", "content": "NetLogon.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1761, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\InstanceType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1762, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\NameResource", "content": "2000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1763, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\ExplainResource", "content": "2002" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1764, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\First Counter", "content": "6332" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1765, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\Last Counter", "content": "6348" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1766, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1767, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterBlock", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\x07\\x00\\x00\\xd6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\x07\\x00\\x00\\xda\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdc\\x07\\x00\\x00\\xde\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\x07\\x00\\x00\\xe2\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe4\\x07\\x00\\x00\\xe6\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x02\\x04\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\x07\\x00\\x00\\xea\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xec\\x07\\x00\\x00\\xee\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x02\\x04\\x03@\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x07\\x00\\x00\\xf2\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1768, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{420a6c98-914e-40fc-9a0f-80c7db801780}\\{a44a45c2-664d-476c-b68c-6b123eccc31f}\\CounterCount", "content": "8" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1769, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1770, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1771, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1772, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\ApplicationIdentity", "content": "%systemroot%\\system32\\drivers\\srv2.sys" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1773, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\InstanceType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1774, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NameResource", "content": "3003" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1775, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\ExplainResource", "content": "3001" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1776, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\First Counter", "content": "5864" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1777, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\Last Counter", "content": "5876" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1778, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1779, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\NeutralName", "content": "SMB Server" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1780, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1781, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterBlock", "content": "\\x01\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xbf\\x0b\\x00\\x00\\xbd\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc3\\x0b\\x00\\x00\\xc1\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc7\\x0b\\x00\\x00\\xc5\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcb\\x0b\\x00\\x00\\xc9\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\x0b\\x00\\x00\\xcd\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd3\\x0b\\x00\\x00\\xd1\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1782, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{d30c5234-f79d-44a9-9803-2f9d5feef791}\\CounterCount", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1783, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1784, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NameResource", "content": "2003" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1785, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\ExplainResource", "content": "2001" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1786, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\First Counter", "content": "5772" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1787, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\Last Counter", "content": "5862" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1788, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1789, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\NeutralName", "content": "SMB Server Sessions" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1790, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1791, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterBlock", "content": "\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xdb\\x07\\x00\\x00\\xd9\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe3\\x07\\x00\\x00\\xe1\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe7\\x07\\x00\\x00\\xe5\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeb\\x07\\x00\\x00\\xe9\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf3\\x07\\x00\\x00\\xf1\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\x07\\x00\\x00\\xf9\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x07\\x00\\x00\\xfd\\x07\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x08\\x00\\x00\\x05\\x08\\x00\\x00\\x01\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x00\\x04A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1792, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{e6e560b2-062f-41ca-89ab-f6987f2b7a25}\\CounterCount", "content": "45" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1793, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\InstanceType", "content": "6" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1794, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NameResource", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1795, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\ExplainResource", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1796, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\First Counter", "content": "5656" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1797, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\Last Counter", "content": "5770" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1798, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NeutralName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1799, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\NeutralName", "content": "SMB Server Shares" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1800, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterBlock", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1801, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterBlock", "content": "\\x02\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\t\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x17\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x19\\x00\\x00\\x00\\x1b\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xef\\x03\\x00\\x00\\xed\\x03\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x05A\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf7\\x03\\x00\\x00\\xf5\\x03\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xfb\\x03\\x00\\x00\\xf9\\x03\\x00\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\\x00\\x04\\x020\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x04\\x00\\x00\\x01\\x04\\x00\\x00\\x01\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x02\\x04\\x03@\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\\x00\\x04A\\x10" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1802, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{4d4bac91-2b54-4f84-be36-cf74389f8f49}\\{f4681672-32dc-41db-8669-fdf490345ba5}\\CounterCount", "content": "57" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1803, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1804, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ProviderName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1805, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ApplicationIdentity", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1806, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\ApplicationIdentity", "content": "rdpcorets.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,365", "eid": 1807, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\_V2Providers\\{57683f06-a08b-4708-8825-5c26f410744b}\\{d9ff82a4-a6a2-4fa5-899e-086ead3bab21}\\InstanceType", "content": "2" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1808, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1809, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1810, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1811, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1812, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1813, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1814, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1815, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1816, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1817, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1818, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1819, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1820, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1821, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1822, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1823, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1824, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1825, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1826, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1827, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1828, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1829, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1830, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1831, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1832, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1833, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1834, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1835, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1836, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1837, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1838, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1839, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1840, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1841, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1842, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1843, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1844, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1845, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1846, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,381", "eid": 1847, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1848, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1849, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1850, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1851, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1852, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1853, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1854, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1855, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1856, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1857, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1858, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1859, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1860, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1861, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1862, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1863, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1864, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1865, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1866, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1867, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1868, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1869, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1870, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1871, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1872, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1873, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1874, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1875, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1876, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1877, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1878, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1879, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1880, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1881, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1882, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1883, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1884, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1885, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1886, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1887, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1888, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1889, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1890, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1891, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1892, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1893, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1894, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1895, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1896, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1897, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1898, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1899, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1900, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1901, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1902, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1903, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1904, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1905, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,396", "eid": 1906, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1907, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1908, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1909, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1910, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1911, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1912, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1913, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1914, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1915, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1916, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1917, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1918, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1919, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1920, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1921, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1922, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1923, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1924, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1925, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1926, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1927, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1928, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1929, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1930, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1931, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1932, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1933, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1934, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1935, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1936, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1937, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1938, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1939, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1940, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1941, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1942, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1943, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1944, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1945, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1946, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1947, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1948, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1949, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1950, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1951, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1952, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1953, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1954, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1955, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1956, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1957, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1958, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1959, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1960, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1961, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1962, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1963, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1964, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1965, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1966, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1967, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1968, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1969, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,412", "eid": 1970, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1971, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1972, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1973, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1974, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1975, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1976, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1977, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1978, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1979, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1980, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1981, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1982, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1983, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1984, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1985, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1986, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1987, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1988, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1989, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1990, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1991, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1992, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1993, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1994, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1995, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1996, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1997, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1998, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 1999, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2000, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2001, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2002, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2003, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2004, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2005, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2006, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2007, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2008, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2009, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2010, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2011, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2012, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2013, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2014, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2015, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2016, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2017, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2018, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2019, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2020, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2021, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2022, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2023, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2024, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2025, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2026, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2027, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2028, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2029, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,428", "eid": 2030, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2031, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2032, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2033, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2034, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2035, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2036, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2037, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2038, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2039, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,443", "eid": 2040, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,443", "eid": 2041, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Help", "content": "9885" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,443", "eid": 2042, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Last Counter", "content": "9884" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,443", "eid": 2043, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\Version", "content": "65537" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,490", "eid": 2044, "data": { "regkey": "HKEY_PERFORMANCE_DATA\\Counter 0409", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,490", "eid": 2045, "data": { "regkey": "HKEY_PERFORMANCE_DATA\\Counter 009", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,490", "eid": 2046, "data": { "regkey": "HKEY_PERFORMANCE_DATA\\Counter 0409", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,553", "eid": 2047, "data": { "regkey": "HKEY_PERFORMANCE_DATA\\Explain 0409", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,553", "eid": 2048, "data": { "regkey": "HKEY_PERFORMANCE_DATA\\Counter 0409", "content": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x6556\\x7372\\x6f69\\x5c6e\\x6550\\x6672\\x696c\\x5c62\\x565f\\x5032\\x6f72\\x6976\\x6564\\x7372\\x7b5c\\x3735\\x3836\\x6633\\x3630\\x612d\\x3830\\x2d62\\x3734\\x3830\\x382d\\x3238\\x2d35\\x6335\\x3632\\x3466\\x3031\\x3437\\x6234\\x5c7d\\x7250\\x766f\\x6469\\x7265\\x7954\\x6570" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,553", "eid": 2049, "data": { "regkey": "HKEY_PERFORMANCE_DATA\\Explain 0409", "content": "\\x00\\x00\\x00ux00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00/\\x6556\\x7372\\x6f69\\x5c6e\\x6550\\x6672\\x696c\\x5c62\\x565f\\x5032\\x6f72\\x6976\\x6564\\x7372\\x7b5c\\x3735\\x3836\\x6633\\x3630\\x612d\\x3830\\x2d62\\x3734\\x3830\\x382d\\x3238\\x2d35\\x6335\\x3632\\x3466\\x3031\\x3437\\x6234\\x5c7d\\x7250\\x766f\\x6469\\x7265\\x7954\\x6570" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,568", "eid": 2050, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,568", "eid": 2051, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,568", "eid": 2052, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,568", "eid": 2053, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,568", "eid": 2054, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,568", "eid": 2055, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,584", "eid": 2056, "data": { "file": "d3d9.dll", "pathtofile": null, "moduleaddress": "0x29255550000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,584", "eid": 2057, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,584", "eid": 2058, "data": { "file": "DXCaptureReplay.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2059, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2060, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2061, "data": { "file": "csrsrv.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2062, "data": { "file": "ext-ms-win-core-resourcepolicy-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc731a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2063, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2064, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2065, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2066, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2067, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2068, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2069, "data": { "file": "DXCaptureReplay.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2070, "data": { "file": "C:\\Windows\\System32\\D3D12Core.dll", "pathtofile": null, "moduleaddress": "0x7ffc5eef0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2071, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2072, "data": { "file": "DXCaptureReplay.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2073, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2074, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2075, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2076, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2077, "data": { "file": "d3d10warp.dll", "pathtofile": null, "moduleaddress": "0x7ffc6e3b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2078, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,600", "eid": 2079, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid", "content": "f236088c-d77a-4da3-9aa2-7c7045457595" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,600", "eid": 2080, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,615", "eid": 2081, "data": { "file": "dxilconv.dll", "pathtofile": null, "moduleaddress": "0x7ffc5f430000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,615", "eid": 2082, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,615", "eid": 2083, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,615", "eid": 2084, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,615", "eid": 2085, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,615", "eid": 2086, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,615", "eid": 2087, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,615", "eid": 2088, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:01:58,631", "eid": 2089, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:01:58,631", "eid": 2090, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\D3DSCache\\e8010882af4f153f\\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2091, "data": { "file": "DXCaptureReplay.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2092, "data": { "file": "DXCaptureReplay.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2093, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2094, "data": { "file": "DXGI", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2095, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2096, "data": { "file": "d3d10warp.dll", "pathtofile": null, "moduleaddress": "0x7ffc6e3b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2097, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2098, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,631", "eid": 2099, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,646", "eid": 2100, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,646", "eid": 2101, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,646", "eid": 2102, "data": { "file": "C:\\Users\\admin" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,646", "eid": 2103, "data": { "file": "C:\\Users\\admin\\AppData\\Local" } }, { "event": "create", "object": "dir", "timestamp": "2026-05-28 22:01:58,646", "eid": 2104, "data": { "file": "C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:01:58,646", "eid": 2105, "data": { "file": "\\Device\\NamedPipe\\wkssvc" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,646", "eid": 2106, "data": { "file": "\\Device\\NamedPipe\\wkssvc" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2107, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2108, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2109, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2110, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2111, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2112, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2113, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2114, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2115, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,662", "eid": 2116, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2117, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2118, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2119, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2120, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2121, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2122, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2123, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2124, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2125, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2126, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2127, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2128, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2129, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,678", "eid": 2130, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2131, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2132, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2133, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2134, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2135, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2136, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2137, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2138, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2139, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2140, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,693", "eid": 2141, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2142, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2143, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2144, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2145, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2146, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2147, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2148, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2149, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2150, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2151, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2152, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2153, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,709", "eid": 2154, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2155, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2156, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2157, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2158, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2159, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2160, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2161, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2162, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2163, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2164, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,725", "eid": 2165, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2166, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2167, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2168, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2169, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2170, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2171, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2172, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2173, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2174, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2175, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,740", "eid": 2176, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2177, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2178, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2179, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2180, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2181, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2182, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2183, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2184, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2185, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,756", "eid": 2186, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2187, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2188, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2189, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2190, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2191, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2192, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2193, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2194, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2195, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,771", "eid": 2196, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2197, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2198, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2199, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2200, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2201, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2202, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2203, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,787", "eid": 2204, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2205, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2206, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2207, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2208, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2209, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2210, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2211, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2212, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2213, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2214, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2215, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,803", "eid": 2216, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2217, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2218, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2219, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2220, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2221, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2222, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2223, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2224, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2225, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2226, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2227, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2228, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2229, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2230, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2231, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,818", "eid": 2232, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2233, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2234, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2235, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2236, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2239, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2241, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2243, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFullName", "content": "Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFamily", "content": "78" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags2", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Volume", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\OSMaxVersionTested", "content": "\\x00\\x00UE\\x00\\x00\n\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLocation", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\TargetDeviceFamilyName", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2257, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2258, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2259, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2262, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,834", "eid": 2263, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "content": "S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2264, "data": { "file": "api-ms-win-crt-private-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc75d00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2265, "data": { "file": "AppxDeploymentClient.dll", "pathtofile": null, "moduleaddress": "0x7ffc6e250000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2266, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2267, "data": { "file": "ext-ms-onecore-appmodel-staterepository-cache-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc6a6a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,834", "eid": 2268, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,850", "eid": 2271, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2272, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\Language", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2273, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Flags", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2274, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Families\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\Flags", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2276, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2277, "data": { "regkey": "HKEY_CURRENT_USER\\Control Panel\\International\\User Profile\\Languages", "content": "\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2278, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\ManifestLanguagesList", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2279, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\ManifestLanguagesList", "content": "\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2280, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\OverrideLanguagesList", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2281, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2282, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\PackageStatus", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2283, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFullName", "content": "Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageFamily", "content": "78" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2285, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2287, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags2", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\PackageOrigin", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Volume", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\OSMaxVersionTested", "content": "\\x00\\x00UE\\x00\\x00\n\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2292, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLocation", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2294, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2295, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2300, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2301, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.windowsstore_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "content": "S-1-5-21-3968686040-3210279463-847977608-1001-MergedResources-0.pri" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,850", "eid": 2302, "data": { "file": "api-ms-win-crt-private-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc75d00000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,850", "eid": 2303, "data": { "file": "AppxDeploymentClient.dll", "pathtofile": null, "moduleaddress": "0x7ffc6e250000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,850", "eid": 2304, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,850", "eid": 2305, "data": { "file": "ext-ms-onecore-appmodel-staterepository-cache-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc6a6a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,850", "eid": 2306, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2307, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:58,850", "eid": 2308, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\90\\Flags", "content": "16777224" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,850", "eid": 2309, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,865", "eid": 2310, "data": { "file": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,865", "eid": 2311, "data": { "file": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,865", "eid": 2312, "data": { "file": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,865", "eid": 2313, "data": { "file": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,865", "eid": 2314, "data": { "file": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,865", "eid": 2315, "data": { "file": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:01:58,865", "eid": 2316, "data": { "file": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\\Assets\\AppTiles\\StoreAppList.scale-100.png" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,865", "eid": 2317, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,865", "eid": 2318, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2319, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2320, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2321, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2322, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2323, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2324, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2325, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2326, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2327, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2328, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2329, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2330, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2331, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2332, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2333, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2334, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2335, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2336, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2337, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2338, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2339, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2340, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2341, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:58,881", "eid": 2342, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:58,896", "eid": 2343, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:59,256", "eid": 2344, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\TaskManager" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:01:59,256", "eid": 2345, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskManager\\Preferences", "content": "\r\\x00\\x00\\x00`\\x00\\x00\\x00`\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\x82\\x00\\x00\\x00\\xfd\\x01\\x00\\x00\\xf6\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x80\\xd8\\x01\\x00\\x80\\xdf\\x01\\x00\\x80\\x00\\x01\\x00\\x01\\xc1\\x01\\x00\\x00,\\x01\\x00\\x00i\\x04\\x00\\x00\\x84\\x03\\x00\\x00\\xe8\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00X\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xea\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x89\\x90\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x00\\x00\\x00\\x01\\x01P\\x02\\x00\\x00\\x00\\x00\r\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x98\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8b\\x90\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x10\\x01\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffx\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8c\\x90\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x12\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x96\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8d\\x90\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe8\\xaa\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff2\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8a\\x90\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08 \\x01\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xab\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xc8\\x00\\x00\\x00\\x1e\\x00\\x00\\x00\\x8e\\x90\\x00\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xab\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x04\\x01\\x00\\x00\\x1e\\x00\\x00\\x00\\x8f\\x90\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x10\\x01\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00P\\xab\\x98\\xc2\\xf6\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xffI\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2346, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2347, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2348, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2349, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2350, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2351, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2352, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2353, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,334", "eid": 2354, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:01:59,334", "eid": 2355, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:59,834", "eid": 2356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,850", "eid": 2357, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,850", "eid": 2358, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,850", "eid": 2359, "data": { "file": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\GdiPlus.dll", "pathtofile": null, "moduleaddress": "0x7ffc50d30000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:01:59,850", "eid": 2360, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:59,865", "eid": 2361, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\ExistingPageFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:59,865", "eid": 2362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\ExistingPageFiles", "content": "\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:59,865", "eid": 2363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\Memory Management\\PagingFiles", "content": "\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:01:59,865", "eid": 2364, "data": { "regkey": "HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString", "content": "Intel Core Processor (Skylake, IBRS)" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,350", "eid": 2365, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2366, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2367, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2368, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2369, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2370, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2371, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2372, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2373, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2374, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2375, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2376, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2377, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2378, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2379, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2380, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:00,365", "eid": 2381, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:00,365", "eid": 2382, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2383, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2384, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2385, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2386, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2387, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2388, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2389, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2390, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:01,365", "eid": 2391, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:01,365", "eid": 2392, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,428", "eid": 2393, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,428", "eid": 2394, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,475", "eid": 2395, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,475", "eid": 2396, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,490", "eid": 2397, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:02,490", "eid": 2398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:02,490", "eid": 2399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:02,490", "eid": 2400, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,615", "eid": 2401, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,615", "eid": 2402, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2403, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2404, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2405, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2406, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2407, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2408, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2409, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2410, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2411, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2412, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2413, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2414, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:02,631", "eid": 2415, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:02,631", "eid": 2416, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,381", "eid": 2417, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,381", "eid": 2418, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,381", "eid": 2419, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,381", "eid": 2420, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,381", "eid": 2421, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,381", "eid": 2422, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2423, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2424, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2425, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2426, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2427, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2428, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2429, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2430, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2431, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2432, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2433, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2434, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2435, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2436, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:03,396", "eid": 2437, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:03,396", "eid": 2438, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2439, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2440, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2441, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2442, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2443, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2444, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2445, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2446, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2447, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2448, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2449, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2450, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:04,381", "eid": 2451, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:04,381", "eid": 2452, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2453, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2454, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2455, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2456, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2457, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2458, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2459, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2460, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2461, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2462, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2463, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2464, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:05,365", "eid": 2465, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:05,365", "eid": 2466, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2467, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2468, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2469, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2470, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2471, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2472, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2473, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2474, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2475, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2476, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2477, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,365", "eid": 2478, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:06,381", "eid": 2479, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:06,381", "eid": 2480, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2481, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2482, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2483, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2484, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2485, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2486, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2487, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2488, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2489, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2490, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2491, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2492, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:07,365", "eid": 2493, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:07,365", "eid": 2494, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:07,584", "eid": 2495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2496, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2497, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2498, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2499, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2500, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2501, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2502, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2503, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2504, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2505, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2506, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2507, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:08,365", "eid": 2508, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:08,365", "eid": 2509, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2510, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2511, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2512, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2513, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2514, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2515, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2516, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2517, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2518, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2519, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2520, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2521, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2522, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,396", "eid": 2523, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:09,412", "eid": 2524, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:09,412", "eid": 2525, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,381", "eid": 2526, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,381", "eid": 2527, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,381", "eid": 2528, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,381", "eid": 2529, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,381", "eid": 2530, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,381", "eid": 2531, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,412", "eid": 2532, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,412", "eid": 2533, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,412", "eid": 2534, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,412", "eid": 2535, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,412", "eid": 2536, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,412", "eid": 2537, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,412", "eid": 2538, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:10,412", "eid": 2539, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,787", "eid": 2540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,787", "eid": 2541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "content": "%windir%\\system32\\SecurityHealthSystray.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,787", "eid": 2542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\SecurityHealth", "content": "\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,787", "eid": 2543, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,787", "eid": 2544, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,787", "eid": 2545, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,787", "eid": 2546, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,787", "eid": 2547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,787", "eid": 2548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "content": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe\" \"C:\\agent.py\"" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,787", "eid": 2549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\CAPEAgent", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,787", "eid": 2550, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,787", "eid": 2551, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,787", "eid": 2552, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,803", "eid": 2553, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2554, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2555, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2556, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,803", "eid": 2557, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,803", "eid": 2558, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,803", "eid": 2559, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,803", "eid": 2560, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,803", "eid": 2561, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "content": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,803", "eid": 2562, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\OneDrive", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2563, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2564, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2565, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2566, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,803", "eid": 2567, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,803", "eid": 2568, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "content": "\"C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,803", "eid": 2569, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Discord", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2570, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2571, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2572, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2573, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2574, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2575, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2576, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,803", "eid": 2577, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2578, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,818", "eid": 2579, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,818", "eid": 2580, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,818", "eid": 2581, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2582, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2583, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2584, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2585, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2586, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,818", "eid": 2587, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,818", "eid": 2588, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,818", "eid": 2589, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2590, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2591, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2592, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2593, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2594, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2595, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2596, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2597, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2598, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2599, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2600, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2601, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2602, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2603, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2604, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,818", "eid": 2605, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2606, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2607, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2608, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2609, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2610, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2611, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2612, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2613, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2614, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2615, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2616, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2617, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2618, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2619, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2620, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2621, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2622, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2623, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2624, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2625, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,834", "eid": 2626, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,834", "eid": 2627, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "content": "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,834", "eid": 2628, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Steam", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2629, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2630, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2631, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2632, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2633, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2634, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2635, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2636, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,834", "eid": 2637, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2638, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2639, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2640, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2641, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2642, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,834", "eid": 2643, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2644, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2645, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2646, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2647, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2648, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2649, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2650, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2651, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2652, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2653, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2654, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2655, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2656, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2657, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,850", "eid": 2658, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,850", "eid": 2659, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,850", "eid": 2660, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2661, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2662, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2663, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,850", "eid": 2664, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2665, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,850", "eid": 2666, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,850", "eid": 2667, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:10,850", "eid": 2668, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,850", "eid": 2669, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,850", "eid": 2670, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A", "content": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:10,850", "eid": 2671, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2672, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:10,850", "eid": 2673, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,521", "eid": 2674, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,521", "eid": 2675, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2676, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2677, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2678, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2679, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2680, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2681, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2682, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2683, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2684, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2685, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2686, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2687, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:11,537", "eid": 2688, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:11,537", "eid": 2689, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,428", "eid": 2690, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,428", "eid": 2691, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,428", "eid": 2692, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,428", "eid": 2693, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2694, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2695, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2696, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2697, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2698, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2699, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2700, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2701, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2702, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2703, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2704, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2705, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,521", "eid": 2706, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,568", "eid": 2707, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path", "content": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,568", "eid": 2708, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path", "content": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,568", "eid": 2709, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageStatus", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2710, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageOrigin", "content": "5" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2711, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\Repository\\Packages\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageStatus", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2712, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFullName", "content": "Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2713, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageFamily", "content": "30" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2714, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2715, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags", "content": "45089868" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags2", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2717, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\PackageOrigin", "content": "5" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2718, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Volume", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2719, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\OSMaxVersionTested", "content": "\\x00\\x00aJ\\x00\\x00\n\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2720, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLink", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\MutableLocation", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2723, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\TargetDeviceFamilyName", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2724, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path", "content": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2725, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\PackageExternalLocation\\Data\\2\\Path", "content": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2726, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\Flags", "content": "45089868" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2727, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateRepository\\Cache\\Package\\Data\\b1\\InstalledLocation", "content": "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,584", "eid": 2728, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppContainer\\Storage\\microsoft.microsoftedge.stable_8wekyb3d8bbwe\\ResourcesConfig\\CachedMergedResourcesPriFileName", "content": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:12,584", "eid": 2729, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2730, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2731, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2732, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2733, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2734, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2735, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2736, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2737, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2738, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2739, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2740, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2741, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,381", "eid": 2742, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:13,381", "eid": 2743, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2744, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2745, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2746, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2747, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2748, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2749, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2750, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2751, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2752, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2753, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2754, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2755, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,396", "eid": 2756, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:14,396", "eid": 2757, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2758, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2759, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2760, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2761, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2762, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2763, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2764, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2765, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2766, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2767, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2768, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2769, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:15,396", "eid": 2770, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:15,396", "eid": 2771, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2772, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2773, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2774, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2775, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2776, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2777, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2778, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2779, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2780, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2781, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2782, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2783, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:16,396", "eid": 2784, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:16,396", "eid": 2785, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2786, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2787, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2788, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2789, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2790, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2791, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2792, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2793, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2794, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2795, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2796, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2797, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:17,412", "eid": 2798, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:17,412", "eid": 2799, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2800, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2801, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2802, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2803, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2804, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2805, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2806, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2807, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2808, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2809, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2810, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2811, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:18,381", "eid": 2812, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:18,381", "eid": 2813, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2814, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2815, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2816, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2817, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2818, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2819, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2820, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2821, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2822, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2823, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2824, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2825, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:19,396", "eid": 2826, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:19,396", "eid": 2827, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2828, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2829, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2830, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2831, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2832, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2833, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2834, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2835, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2836, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2837, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2838, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2839, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:20,412", "eid": 2840, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:20,412", "eid": 2841, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2842, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2843, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2844, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2845, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2846, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2847, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2848, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2849, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2850, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2851, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2852, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2853, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:21,428", "eid": 2854, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:21,428", "eid": 2855, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,412", "eid": 2856, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,412", "eid": 2857, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,412", "eid": 2858, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,412", "eid": 2859, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2860, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2861, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2862, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2863, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2864, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2865, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2866, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2867, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:22,428", "eid": 2868, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:22,428", "eid": 2869, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2870, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2871, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2872, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2873, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2874, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2875, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2876, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2877, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2878, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2879, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2880, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2881, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:23,428", "eid": 2882, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:23,428", "eid": 2883, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2884, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2885, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2886, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2887, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2888, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2889, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2890, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2891, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2892, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2893, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2894, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2895, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:24,428", "eid": 2896, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:24,428", "eid": 2897, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,412", "eid": 2898, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,412", "eid": 2899, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,412", "eid": 2900, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,412", "eid": 2901, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2902, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2903, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2904, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2905, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2906, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2907, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2908, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2909, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:25,428", "eid": 2910, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:25,428", "eid": 2911, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2912, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2913, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2914, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2915, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2916, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2917, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2918, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2919, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2920, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2921, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2922, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2923, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,412", "eid": 2924, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:26,412", "eid": 2925, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2926, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2927, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2928, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2929, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2930, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2931, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2932, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2933, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2934, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2935, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2936, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2937, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:27,428", "eid": 2938, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:27,428", "eid": 2939, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2940, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2941, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2942, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2943, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2944, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2945, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2946, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2947, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2948, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2949, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2950, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2951, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:28,443", "eid": 2952, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:28,443", "eid": 2953, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2954, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2955, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2956, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2957, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2958, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2959, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2960, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2961, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2962, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2963, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2964, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2965, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:29,459", "eid": 2966, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:29,459", "eid": 2967, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2968, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2969, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2970, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2971, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2972, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2973, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2974, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2975, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2976, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2977, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2978, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2979, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:30,475", "eid": 2980, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:30,475", "eid": 2981, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2982, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2983, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2984, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2985, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2986, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2987, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2988, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2989, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2990, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2991, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2992, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2993, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:31,475", "eid": 2994, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:31,475", "eid": 2995, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 2996, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 2997, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 2998, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 2999, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3000, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3001, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3002, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3003, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3004, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3005, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3006, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3007, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3008, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:34,725", "eid": 3009, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3010, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3011, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3012, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3013, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3014, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,725", "eid": 3015, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,740", "eid": 3016, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,740", "eid": 3017, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,740", "eid": 3018, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,740", "eid": 3019, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,740", "eid": 3020, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,740", "eid": 3021, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:34,740", "eid": 3022, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:34,740", "eid": 3023, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,459", "eid": 3024, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,459", "eid": 3025, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3026, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3027, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3028, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3029, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3030, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3031, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3032, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3033, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3034, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3035, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3036, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3037, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:35,725", "eid": 3038, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:35,725", "eid": 3039, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3040, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3041, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3042, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3043, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3044, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3045, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3046, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3047, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3048, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3049, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3050, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3051, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:36,475", "eid": 3052, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:36,475", "eid": 3053, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3054, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3055, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3056, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3057, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3058, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3059, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3060, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3061, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3062, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3063, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3064, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3065, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:37,475", "eid": 3066, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:37,475", "eid": 3067, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3068, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3069, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3070, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3071, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3072, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3073, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3074, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3075, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3076, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3077, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3078, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3079, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:38,490", "eid": 3080, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:38,490", "eid": 3081, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3082, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3083, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3084, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3085, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3086, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3087, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3088, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3089, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3090, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3091, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:39,475", "eid": 3092, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:39,475", "eid": 3093, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3094, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3095, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SecurityHealth", "content": "%windir%\\system32\\SecurityHealthSystray.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3096, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\SecurityHealth", "content": "\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,178", "eid": 3097, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,178", "eid": 3098, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,178", "eid": 3099, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,178", "eid": 3100, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CAPEAgent", "content": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\WindowsApps\\python.exe\" \"C:\\agent.py\"" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\CAPEAgent", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,178", "eid": 3104, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3105, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,178", "eid": 3106, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,178", "eid": 3107, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3108, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3109, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3110, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3111, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3112, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3113, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,193", "eid": 3114, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,193", "eid": 3115, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OneDrive", "content": "\"C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,193", "eid": 3116, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\OneDrive", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3117, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3118, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3119, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3120, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,193", "eid": 3121, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,193", "eid": 3122, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord", "content": "\"C:\\Users\\admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,193", "eid": 3123, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Discord", "content": "\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3124, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3125, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3126, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3127, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3128, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3129, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3130, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3131, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3132, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3133, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3134, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3135, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3136, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3137, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3138, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3139, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3140, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3141, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3142, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,193", "eid": 3143, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,193", "eid": 3144, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3145, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3146, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3147, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3148, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3149, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3150, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3151, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3152, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3153, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3154, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3155, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3156, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3157, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3158, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3159, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3160, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3161, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3162, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3163, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3164, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3165, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3166, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3167, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3168, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3169, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3170, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3171, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3172, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3173, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3174, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3175, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3176, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3177, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3178, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3179, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,209", "eid": 3180, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,209", "eid": 3181, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Steam", "content": "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,209", "eid": 3182, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\Steam", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3183, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3184, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3185, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3186, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3187, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3188, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3189, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3190, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,209", "eid": 3191, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3192, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3193, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,209", "eid": 3194, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3195, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3196, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3197, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3198, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3199, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3200, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3201, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3202, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3203, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3204, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3205, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3206, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3207, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3208, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3209, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3210, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3211, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,225", "eid": 3212, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,225", "eid": 3213, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,225", "eid": 3214, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3215, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3216, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3217, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3218, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,225", "eid": 3219, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,225", "eid": 3220, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,225", "eid": 3221, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:40,225", "eid": 3222, "data": { "file": "C:\\Windows\\System32\\conhost.exe" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3224, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3225, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\DllPath", "content": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateAsUser", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Internal.StartupTaskInternal\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3237, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3239, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3241, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3243, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.ApplicationExtension\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3249, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3251, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3252, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3253, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "content": "nt authority\\system" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3254, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3257, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3258, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3259, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,225", "eid": 3262, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3263, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,240", "eid": 3273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3274, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3275, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3276, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3277, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3278, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3279, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3280, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,506", "eid": 3281, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3282, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3283, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3284, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3285, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,521", "eid": 3286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,521", "eid": 3287, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,521", "eid": 3288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,521", "eid": 3289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,521", "eid": 3290, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,521", "eid": 3291, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:40,521", "eid": 3292, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3293, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3294, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3295, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3296, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3297, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3298, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3299, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3300, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3301, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3302, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:40,521", "eid": 3303, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:40,521", "eid": 3304, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3305, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3306, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3307, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3308, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3309, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3310, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3311, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,490", "eid": 3312, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:41,506", "eid": 3313, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:41,506", "eid": 3314, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3315, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3316, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3317, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3318, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3319, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3320, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3321, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3322, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:42,490", "eid": 3323, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:42,490", "eid": 3324, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3325, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3326, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3327, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3328, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3329, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3330, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3331, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3332, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:43,506", "eid": 3333, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:43,506", "eid": 3334, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3335, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3336, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3337, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3338, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3339, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3340, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3341, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3342, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:44,490", "eid": 3343, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:44,490", "eid": 3344, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,521", "eid": 3345, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,521", "eid": 3346, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,553", "eid": 3347, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,553", "eid": 3348, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3349, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3350, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3351, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3352, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3353, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3354, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3355, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3356, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:45,600", "eid": 3357, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:45,600", "eid": 3358, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3359, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3360, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3361, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3362, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3363, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3364, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3365, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3366, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:46,490", "eid": 3367, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:46,490", "eid": 3368, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3369, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3370, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3371, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3372, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3373, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3374, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3375, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3376, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:47,506", "eid": 3377, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:47,506", "eid": 3378, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3379, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3380, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3381, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3382, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3383, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3384, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3385, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3386, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:48,521", "eid": 3387, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:48,521", "eid": 3388, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3389, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3390, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3391, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3392, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3393, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3394, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3395, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3396, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:49,521", "eid": 3397, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:49,521", "eid": 3398, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3399, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3400, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3401, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3402, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3403, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3404, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3405, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3406, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:50,521", "eid": 3407, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:50,521", "eid": 3408, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3409, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3410, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3411, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3412, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3413, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3414, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3415, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3416, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:51,521", "eid": 3417, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:51,521", "eid": 3418, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3419, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3420, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3421, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3422, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3423, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3424, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3425, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3426, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:52,521", "eid": 3427, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:52,521", "eid": 3428, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3429, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3430, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3431, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3432, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3433, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3434, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3435, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3436, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:53,521", "eid": 3437, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:53,521", "eid": 3438, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3439, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3440, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3441, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3442, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3443, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3444, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3445, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3446, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:54,521", "eid": 3447, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:54,521", "eid": 3448, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3449, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3450, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3451, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3452, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3453, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3454, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3455, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3456, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:55,521", "eid": 3457, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:55,521", "eid": 3458, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3459, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3460, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3461, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3462, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3463, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3464, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3465, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3466, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:56,521", "eid": 3467, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3468, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3469, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3470, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3471, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3472, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3473, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3474, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3475, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3476, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3477, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:57,553", "eid": 3478, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:57,553", "eid": 3479, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3480, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3481, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3482, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3483, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3484, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3485, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3486, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3487, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:58,521", "eid": 3488, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:58,521", "eid": 3489, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3490, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3491, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3492, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3493, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3494, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3495, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3496, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3497, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:59,521", "eid": 3498, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:02:59,521", "eid": 3499, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,537", "eid": 3500, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,537", "eid": 3501, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,600", "eid": 3502, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3503, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\PolicyType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3504, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Behavior", "content": "298" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3505, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\MergeAlgorithm", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3506, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3507, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3509, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3510, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3511, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3512, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,600", "eid": 3513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\DataProtection\\EDPShowIcons\\Value", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,615", "eid": 3514, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,615", "eid": 3515, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,865", "eid": 3516, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,865", "eid": 3517, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3518, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3519, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3521, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3522, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21769" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3528, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-183" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3529, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3531, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3537, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3539, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3541, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop", "content": "%USERPROFILE%\\Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Name", "content": "Common Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParentFolder", "content": "{DFDF76A2-C82A-4D63-906A-5644AC457385}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\RelativePath", "content": "Desktop" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21799" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Security", "content": "D:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;IU)(A;OICI;FA;;;SY)" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3556, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3557, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3558, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3560, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\Attributes", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3561, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3562, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:00,896", "eid": 3563, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Desktop", "content": "%PUBLIC%\\Desktop" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3564, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3565, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3566, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3567, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3568, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3569, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3570, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3571, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:00,896", "eid": 3572, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:03:00,896", "eid": 3573, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,521", "eid": 3574, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,521", "eid": 3575, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3576, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3577, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3578, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3579, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3580, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3581, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3582, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3583, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,568", "eid": 3584, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:03:01,568", "eid": 3585, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,553", "eid": 3586, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,553", "eid": 3587, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,553", "eid": 3588, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,553", "eid": 3589, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,584", "eid": 3590, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,584", "eid": 3591, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,600", "eid": 3592, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,600", "eid": 3593, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,600", "eid": 3594, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,600", "eid": 3595, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,600", "eid": 3596, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,600", "eid": 3597, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,600", "eid": 3598, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:03:02,600", "eid": 3599, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3600, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3601, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3602, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3603, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3604, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3605, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3606, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3607, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:03,521", "eid": 3608, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:03:03,521", "eid": 3609, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3610, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3611, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3612, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3613, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3614, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3615, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3616, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3617, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,521", "eid": 3618, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:03:04,521", "eid": 3619, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3620, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3621, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3622, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3623, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3624, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3625, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3626, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3627, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,521", "eid": 3628, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "findwindow", "object": "windowname", "timestamp": "2026-05-28 22:03:05,521", "eid": 3629, "data": { "classname": "Shell_TrayWnd", "windowname": "" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:06,553", "eid": 3630, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:06,553", "eid": 3631, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:06,631", "eid": 3632, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:06,631", "eid": 3633, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:02,223", "eid": 3634, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=crashpad-handler \"--user-data-dir=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler \"--database=C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Crashpad\" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=148.0.7778.180 \"--annotation=exe=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=148.0.3967.83 --initial-client-data=0x348,0x34c,0x350,0x344,0x358,0x7ffc32485d58,0x7ffc32485d64,0x7ffc32485d70" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:02,426", "eid": 3635, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --startup-read-main-dll --metrics-shmem-handle=2252,i,1852722750093770922,12337795973288601513,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2544 /prefetch:3" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:02,473", "eid": 3636, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=gpu-process --gpu-preferences=SAAAAAAAAADgAAAEAAAAAAAAAAAAAGAAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --startup-read-main-dll --metrics-shmem-handle=2148,i,10847598894621438095,12789521635842580643,262144 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708988185955192 --mojo-platform-channel-handle=2460 /prefetch:2" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:02,473", "eid": 3637, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --startup-read-main-dll --metrics-shmem-handle=2712,i,12124658266742785438,6673008252034019867,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990060038890 --mojo-platform-channel-handle=2552 /prefetch:8" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:02,613", "eid": 3638, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73086337 --skip-read-main-dll --metrics-shmem-handle=3364,i,8287753549644527570,15394987965169516576,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708990997080739 --mojo-platform-channel-handle=3564 /prefetch:1" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:02,613", "eid": 3639, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=renderer --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale=en_AU --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --time-ticks-at-unix-epoch=-1780005649456729 --launch-time-ticks=73085097 --ssd-no-pressure-read-main-dll --metrics-shmem-handle=3520,i,12993274521700679940,8746294588575262201,2097152 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708991934122588 --mojo-platform-channel-handle=3556 /prefetch:1" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:09,176", "eid": 3640, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --skip-read-main-dll --metrics-shmem-handle=5272,i,14100473808991986883,1552638804429653106,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708992871164437 --mojo-platform-channel-handle=5284 /prefetch:8" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:10,457", "eid": 3641, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --skip-read-main-dll --metrics-shmem-handle=5624,i,11759773399020994037,14274051796553512958,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708993808206286 --mojo-platform-channel-handle=5652 /prefetch:8" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:12,082", "eid": 3642, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708994745248135 --mojo-platform-channel-handle=6004 /prefetch:8" } }, { "event": "execute", "object": "file", "timestamp": "2026-05-28 22:02:35,441", "eid": 3643, "data": { "file": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --skip-read-main-dll --metrics-shmem-handle=5016,i,10489045321286890553,3537000843862549641,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,9125995165493510780,4 --trace-process-track-uuid=3190708995682289984 --mojo-platform-channel-handle=5084 /prefetch:8" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3644, "data": { "file": "api-ms-win-core-fibers-l1-1-2", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3645, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3646, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffc75fa0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3647, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3648, "data": { "file": "api-ms-win-core-localization-l1-2-1", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3649, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3650, "data": { "file": "kernel32", "pathtofile": null, "moduleaddress": "0x7ffc76030000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3651, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3652, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3653, "data": { "file": "api-ms-win-core-string-l1-1-0", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3654, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3655, "data": { "file": "api-ms-win-core-datetime-l1-1-1", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3656, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3657, "data": { "file": "api-ms-win-core-localization-obsolete-l1-2-0", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3658, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3659, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffc75fa0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3660, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,635", "eid": 3661, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,635", "eid": 3662, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\channel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,635", "eid": 3663, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\Clients\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\channel", "content": "stable" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3664, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\ap", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3665, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort\\name", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3666, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\EdgeUpdate\\ClientState\\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\\cohort\\name", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3667, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-AU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3668, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-AU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3669, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions\\000603xx", "content": "kernel32.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,650", "eid": 3670, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76030000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,650", "eid": 3671, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3672, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en-AU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,650", "eid": 3673, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids\\en", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,666", "eid": 3674, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76030000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,666", "eid": 3675, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,682", "eid": 3676, "data": { "file": "api-ms-win-core-file-l1-2-1.dll", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,682", "eid": 3677, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3678, "data": { "file": "api-ms-win-core-fibers-l1-1-2", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3679, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3680, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffc75fa0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3681, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3682, "data": { "file": "api-ms-win-core-localization-l1-2-1", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3683, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3684, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3685, "data": { "file": "kernel32", "pathtofile": null, "moduleaddress": "0x7ffc76030000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3686, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3687, "data": { "file": "api-ms-win-core-string-l1-1-0", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3688, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3689, "data": { "file": "api-ms-win-core-datetime-l1-1-1", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3690, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3691, "data": { "file": "api-ms-win-core-localization-obsolete-l1-2-0", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3692, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3693, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,854", "eid": 3694, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3695, "data": { "file": "api-ms-win-downlevel-shell32-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc775b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3696, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3697, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3698, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3699, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffc75fa0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3700, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,854", "eid": 3701, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3702, "data": { "file": "api-ms-win-core-fibers-l1-1-2", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3703, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffc75fa0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3704, "data": { "file": "api-ms-win-core-localization-l1-2-1", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3705, "data": { "file": "kernel32", "pathtofile": null, "moduleaddress": "0x7ffc76030000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3706, "data": { "file": "api-ms-win-core-string-l1-1-0", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3707, "data": { "file": "api-ms-win-core-datetime-l1-1-1", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3708, "data": { "file": "api-ms-win-core-localization-obsolete-l1-2-0", "pathtofile": null, "moduleaddress": "0x7ffc756b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3709, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffc75fa0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3710, "data": { "file": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge.dll", "pathtofile": null, "moduleaddress": "0x7ffc1e940000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3711, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3712, "data": { "file": "ucrtbase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3713, "data": { "file": "ADVAPI32.dll", "pathtofile": null, "moduleaddress": "0x7ffc771e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,885", "eid": 3714, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3715, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,900", "eid": 3716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\OEM\\DeviceForm", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3717, "data": { "file": "USER32.dll", "pathtofile": null, "moduleaddress": "0x7ffc762a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3718, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3719, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3720, "data": { "file": "api-ms-win-core-wow64-l1-1-1.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,900", "eid": 3721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR", "content": "3803" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,900", "eid": 3722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion", "content": "22H2" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3723, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3724, "data": { "file": "Kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,900", "eid": 3725, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,916", "eid": 3726, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ffc730a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,916", "eid": 3727, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,916", "eid": 3728, "data": { "file": "Kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,916", "eid": 3729, "data": { "file": "shell32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76730000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,916", "eid": 3730, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3731, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3732, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3733, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3734, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3735, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3736, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3737, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3738, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3739, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3740, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3741, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3742, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3743, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3744, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3745, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,932", "eid": 3746, "data": { "file": "api-ms-win-core-winrt-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc77b70000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,932", "eid": 3747, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,932", "eid": 3748, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3749, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3750, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3751, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3752, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3753, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3754, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3755, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3756, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3757, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3758, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3759, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3760, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3761, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3762, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3763, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3764, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3765, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,932", "eid": 3766, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,947", "eid": 3767, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "1" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,947", "eid": 3768, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:12,947", "eid": 3769, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,947", "eid": 3770, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:12,947", "eid": 3771, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:12,947", "eid": 3772, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:13,854", "eid": 3773, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:13,854", "eid": 3774, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:13,854", "eid": 3775, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:13,854", "eid": 3776, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:13,854", "eid": 3777, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:13,854", "eid": 3778, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,854", "eid": 3779, "data": { "file": "api-ms-win-core-winrt-string-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc77b70000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,854", "eid": 3780, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,854", "eid": 3781, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3782, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3783, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3784, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3785, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\DllPath", "content": "C:\\Windows\\System32\\wpnapps.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3786, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Threading", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3787, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3788, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3789, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3790, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3791, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3792, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3793, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\Permissions", "content": "\\x01\\x00\\x14\\x80$\\x01\\x00\\x000\\x01\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00\\xf4\\x00\\x07\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x13\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x14\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x0b\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\t\\x00L\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x04\\x00\\x00\\x00artx\\xf8.\\x00\\x00\\x00W\\x00I\\x00N\\x00:\\x00/\\x00/\\x00I\\x00S\\x00M\\x00U\\x00L\\x00T\\x00I\\x00S\\x00E\\x00S\\x00S\\x00I\\x00O\\x00N\\x00S\\x00K\\x00U\\x00\\xa2\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3794, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Notifications.ToastNotificationManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,854", "eid": 3795, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:13,885", "eid": 3796, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,885", "eid": 3797, "data": { "file": "C:\\Windows\\System32\\wpnapps.dll", "pathtofile": null, "moduleaddress": "0x7ffc60e20000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,885", "eid": 3798, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,885", "eid": 3799, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,885", "eid": 3800, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,885", "eid": 3801, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,885", "eid": 3802, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,885", "eid": 3803, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,885", "eid": 3804, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,885", "eid": 3805, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\DefaultAccessPermission", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,885", "eid": 3806, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,885", "eid": 3807, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,885", "eid": 3808, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "content": "combase.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,885", "eid": 3809, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,885", "eid": 3810, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,900", "eid": 3811, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,900", "eid": 3812, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{E1CDD77A-65D3-4db0-B339-21F6A48CC2FF}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,900", "eid": 3813, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3814, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000035-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3815, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,916", "eid": 3816, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3817, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{50ac103f-d235-4598-bbef-98fe4d1a3ad4}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3818, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3819, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3820, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)", "content": "Windows Push Notification Developer Proxy Stub" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3821, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3822, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3823, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\System32\\wpnapps.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3824, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3825, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3826, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3827, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\(Default)", "content": "Windows Push Notification Developer Proxy Stub" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3828, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3829, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3830, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\System32\\wpnapps.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3831, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3832, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\\AppID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3833, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7ab93c52-0e48-4750-ba9d-1a4113981847}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3834, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5caddc63-01d3-4c97-986f-0533483fee14}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,916", "eid": 3835, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bc3d253-2f31-4092-9129-8ad5abf067da}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3836, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\ActivateOnHostFlags", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3837, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3838, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{0c9281f9-6da1-4006-8729-de6e6b61581c}\\(Default)", "content": "Windows Push Notification Platform" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3839, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Containers\\WaitForRestore", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3840, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,932", "eid": 3841, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3842, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaximumAllowedAllocationSize", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3843, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF8E9480-CA73-448E-B8F0-DA000F581428}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3844, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3845, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3846, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3847, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3848, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3849, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3850, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3851, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3852, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3853, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3854, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3855, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3856, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3857, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3858, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,932", "eid": 3859, "data": { "file": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", "pathtofile": null, "moduleaddress": "0x7ffc6f400000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,932", "eid": 3860, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3861, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DCAEE35A-508D-4419-9E56-50D658C2C812}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3862, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{926516E8-D891-45BC-9DE5-6959FB8ECAC5}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,932", "eid": 3863, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{a819f3de-60aa-5159-8407-f0a7fb1f6832}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,947", "eid": 3864, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{D6F5F569-D40D-407C-8989-88CAB42CFD14}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,947", "eid": 3865, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{79ab57f6-43fe-487b-8a7f-99567200ae94}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3866, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{679C64B7-81AB-42C2-8819-C958767753F4}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3867, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{F655B052-348B-4AB0-947B-A7DAFA44D404}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3868, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{58058629-16A1-438A-90C8-7E954B3734B1}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3869, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{23EB7394-4610-4807-BAEC-9A72F86FFA0B}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3870, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2A1821FE-179D-49BC-B79D-A527920D3665}\\ProxyStubClsid32\\(Default)", "content": "{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3871, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3872, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3873, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\DllPath", "content": "C:\\Windows\\System32\\combase.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3874, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3875, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3876, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3877, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3878, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3879, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3880, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3881, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Diagnostics.AsyncCausalityTracer\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,963", "eid": 3882, "data": { "file": "C:\\Windows\\System32\\combase.dll", "pathtofile": null, "moduleaddress": "0x7ffc77b70000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,963", "eid": 3883, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,963", "eid": 3884, "data": { "file": "ole32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76f60000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,963", "eid": 3885, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:13,963", "eid": 3886, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3887, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3888, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3889, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\DllPath", "content": "C:\\Windows\\System32\\execmodelclient.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3890, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3891, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3892, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3893, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3894, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3895, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3896, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,963", "eid": 3897, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundExecutionManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:13,979", "eid": 3898, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,979", "eid": 3899, "data": { "file": "C:\\Windows\\System32\\execmodelclient.dll", "pathtofile": null, "moduleaddress": "0x7ffc63990000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,979", "eid": 3900, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3901, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{C5543B33-5C73-4DC5-9211-24077D3B06C5}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:13,994", "eid": 3902, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:13,994", "eid": 3903, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,994", "eid": 3904, "data": { "file": "C:\\Windows\\System32\\twinapi.appcore.dll", "pathtofile": null, "moduleaddress": "0x7ffc6ff20000" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:13,994", "eid": 3905, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:13,994", "eid": 3906, "data": { "file": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll", "pathtofile": null, "moduleaddress": "0x7ffc66790000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3907, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{428D4DDD-3462-43DF-9395-1EFF13AE7A4B}\\ProxyStubClsid32\\(Default)", "content": "{b03c2205-f02e-4d77-80df-e1747afdd39c}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3908, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3909, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3910, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)", "content": "ExecModelProxy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3911, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3912, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3913, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\execmodelproxy.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3914, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3915, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3916, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3917, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\(Default)", "content": "ExecModelProxy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3918, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3919, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3920, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\(Default)", "content": "%systemroot%\\system32\\execmodelproxy.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3921, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\InprocServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:13,994", "eid": 3922, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{b03c2205-f02e-4d77-80df-e1747afdd39c}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,010", "eid": 3923, "data": { "file": "C:\\Windows\\System32\\execmodelproxy.dll", "pathtofile": null, "moduleaddress": "0x7ffc614e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,010", "eid": 3924, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3925, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\PolicyType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3926, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3927, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\MergeAlgorithm", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3928, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3929, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3930, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3931, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname", "content": "LetAppsRunInBackground_UserInControlOfTheseApps" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3932, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3933, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3934, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyismultisz", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3935, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3936, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3937, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3938, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3939, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3940, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3941, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\PolicyType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3942, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3943, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\MergeAlgorithm", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3944, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3945, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3946, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3947, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname", "content": "LetAppsRunInBackground_ForceAllowTheseApps" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3948, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3949, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3950, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyismultisz", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3951, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3952, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3953, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3954, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3955, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3956, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3957, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\PolicyType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3958, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3959, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\MergeAlgorithm", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3960, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3961, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3962, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3963, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname", "content": "LetAppsRunInBackground_ForceDenyTheseApps" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3964, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3965, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3966, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyismultisz", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3967, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3968, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3969, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3970, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3971, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3972, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3973, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\PolicyType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3974, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3975, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\MergeAlgorithm", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3976, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3977, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3978, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3979, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname", "content": "LetAppsRunInBackground" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3980, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3981, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3982, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyismultisz", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3983, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3984, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3985, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3986, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3987, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3988, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Value", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3989, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3990, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3991, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3992, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3993, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3994, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3995, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3996, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3997, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3998, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 3999, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.User\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4000, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4001, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\CommandLine", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4002, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\IdentityType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4003, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4004, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Permissions", "content": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4005, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ActivatableClasses", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4006, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServerType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4007, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\AppId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4008, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\Identity", "content": "nt authority\\system" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4009, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ServiceName", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4010, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\StateRepository\\ExplicitPsmActivationType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4011, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{84103ccb-2fd7-4d6c-962e-5d8582b4c720}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4012, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4013, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4014, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4015, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4016, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4017, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,010", "eid": 4018, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4019, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4020, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4021, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4022, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4023, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4024, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\\\Windows.StateRepositoryPS.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4025, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,025", "eid": 4026, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,025", "eid": 4027, "data": { "file": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", "pathtofile": null, "moduleaddress": "0x7ffc665a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,025", "eid": 4028, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4029, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{5232f8ea-49c7-4840-bfbb-66e785689e88}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4030, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4031, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4032, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4033, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4034, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4035, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4036, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4037, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4038, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4039, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4040, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Package\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4041, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{0450ce77-af0d-40ac-93fd-1e5d48c89419}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4042, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{195f5943-0c04-4eab-b907-735817fdac77}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4043, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired" } }, { "event": "write", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4044, "data": { "regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SecurityManager\\CapAuthz\\HasRepaired\\VolatileChildTest" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4045, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4046, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4047, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4048, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid", "content": "S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4049, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4050, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids", "content": "\\x03\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x93MhQ\\x18=\\xc3\\xa6(\\x927f\\xc7\\xb1\\xfd\\x1eb\\x11\\xb0\\x8dT\\xad@A8\\xb7l\\xebv\\xc0V\\xd6\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xdc\\xdc\\xc7+\\x1b\\x84\\xfb\\x17\\x8c\\xfd\\xd5\\x99\\x9fj\\xa1T\\xc3\t\\x1a\\xfbT\\xa8\\x98\\xa2\\x98\\xef\\x9b\r\\xe1=\\xaa!\\x01\\x08\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00x2g \\xe6bZ\\x10\\xa8\\xb7\\xb5\\x84\\?L\\xd4\\xd1\\xbf\\xe8\\xedX\\x857\\xd3\\xa8\\x18)\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4051, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4052, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4053, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\PolicyType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4054, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4055, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\MergeAlgorithm", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4056, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4057, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4058, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4059, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyname", "content": "LetAppsRunInBackground_UserInControlOfTheseApps" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4060, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4061, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4062, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicyismultisz", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4063, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4064, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4065, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4066, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4067, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4068, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_UserInControlOfTheseApps\\Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4069, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\PolicyType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4070, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4071, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\MergeAlgorithm", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4072, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4073, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4074, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4075, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyname", "content": "LetAppsRunInBackground_ForceAllowTheseApps" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4076, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4077, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4078, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicyismultisz", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4079, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4080, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4081, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4082, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4083, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4084, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceAllowTheseApps\\Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4085, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\PolicyType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4086, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4087, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\MergeAlgorithm", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4088, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4089, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4090, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4091, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyname", "content": "LetAppsRunInBackground_ForceDenyTheseApps" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4092, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4093, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4094, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicyismultisz", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4095, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4096, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4097, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4098, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4099, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4100, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground_ForceDenyTheseApps\\Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4101, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\PolicyType", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4102, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Behavior", "content": "139296" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4103, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\MergeAlgorithm", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4104, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirectMapped", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4105, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\RegKeyPathRedirect", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4106, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4107, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyname", "content": "LetAppsRunInBackground" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4108, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4109, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicypath", "content": "Software\\Policies\\Microsoft\\Windows\\AppPrivacy" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4110, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicyismultisz", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4111, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\grouppolicymultiszSeparatorChar", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4112, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4113, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataDevice", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4114, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\ADMXMetadataBoth", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4115, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\30Value", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4116, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\default\\Privacy\\LetAppsRunInBackground\\Value", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,041", "eid": 4117, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4118, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\AppPackageType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4119, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4120, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\PackageSid", "content": "S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4121, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4122, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\CapSids", "content": "\\x03\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x93MhQ\\x18=\\xc3\\xa6(\\x927f\\xc7\\xb1\\xfd\\x1eb\\x11\\xb0\\x8dT\\xad@A8\\xb7l\\xebv\\xc0V\\xd6\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xdc\\xdc\\xc7+\\x1b\\x84\\xfb\\x17\\x8c\\xfd\\xd5\\x99\\x9fj\\xa1T\\xc3\t\\x1a\\xfbT\\xa8\\x98\\xa2\\x98\\xef\\x9b\r\\xe1=\\xaa!\\x01\\x08\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00x2g \\xe6bZ\\x10\\xa8\\xb7\\xb5\\x84\\?L\\xd4\\xd1\\xbf\\xe8\\xedX\\x857\\xd3\\xa8\\x18)\\x1f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4123, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4124, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapAuthz\\ApplicationsEx\\Microsoft.MicrosoftEdge.Stable_148.0.3967.83_neutral__8wekyb3d8bbwe\\ApplicationFlags", "content": "0" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,057", "eid": 4125, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x7ffc77fd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,057", "eid": 4126, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4127, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4128, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4129, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4130, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4131, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4132, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4133, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\DllPath", "content": "C:\\Windows\\System32\\biwinrt.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4134, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4135, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4136, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4137, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4138, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4139, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4140, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4141, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundTaskRegistration\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,057", "eid": 4142, "data": { "file": "C:\\Windows\\System32\\biwinrt.dll", "pathtofile": null, "moduleaddress": "0x7ffc5b720000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,057", "eid": 4143, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:14,057", "eid": 4144, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4145, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4146, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4147, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\DllPath", "content": "C:\\Windows\\System32\\biwinrt.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4148, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Threading", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4149, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4150, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4151, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4152, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4153, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4154, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4155, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Background.BackgroundWorkManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4156, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{350E1244-4575-45EE-8595-0AA8C6506FC7}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4157, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{01CF8BD4-E3D6-413D-8339-36D46E78D12C}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4158, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4159, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4160, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\DllPath", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4161, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4162, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4163, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4164, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4165, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4166, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,057", "eid": 4167, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4168, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.ValueSet\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,072", "eid": 4169, "data": { "file": "C:\\Windows\\System32\\WinTypes.dll", "pathtofile": null, "moduleaddress": "0x7ffc71ec0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,072", "eid": 4170, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4171, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4172, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4173, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\DllPath", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4174, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4175, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4176, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4177, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4178, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4179, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4180, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4181, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataWriter\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4182, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4183, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4184, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\DllPath", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4185, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4186, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4187, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4188, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4189, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4190, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4191, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4192, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.Streams.DataReader\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4193, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4194, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4195, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\DllPath", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4196, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4197, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4198, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4199, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4200, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4201, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4202, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4203, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.PropertyValue\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4204, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{2C08602F-40B1-5E97-AE21-5C04D7FB829C}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4205, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{62AE0FDA-B238-554F-A275-1DC16D6CA03A}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4206, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8445D2AE-DD03-5B98-95E4-82B43A3F0D64}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,072", "eid": 4207, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9BCB843B-221B-5FBE-9B20-7028BC4E8653}\\ProxyStubClsid32\\(Default)", "content": "{95E15D0A-66E6-93D9-C53C-76E6219D3341}" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,072", "eid": 4208, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,072", "eid": 4209, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:14,072", "eid": 4210, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,072", "eid": 4211, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:14,072", "eid": 4212, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4213, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4214, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4215, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\DllPath", "content": "C:\\Windows\\System32\\Windows.Storage.ApplicationData.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4216, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Threading", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4217, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4218, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4219, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4220, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4221, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4222, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4223, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Storage.ApplicationData\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,088", "eid": 4224, "data": { "file": "C:\\Windows\\System32\\Windows.Storage.ApplicationData.dll", "pathtofile": null, "moduleaddress": "0x7ffc5b910000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,088", "eid": 4225, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4226, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4227, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4228, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\DllPath", "content": "C:\\Windows\\System32\\twinapi.appcore.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4229, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4230, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4231, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4232, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4233, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4234, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4235, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,088", "eid": 4236, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.Core.CoreApplication\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,088", "eid": 4237, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4238, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4239, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4240, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\DllPath", "content": "C:\\Windows\\System32\\WinTypes.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4241, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4242, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4243, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4244, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4245, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4246, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4247, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4248, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Foundation.Collections.PropertySet\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:14,104", "eid": 4249, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4250, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\XAML\\OneCoreTransformsEnabledByDefault", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,104", "eid": 4251, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4252, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\\PSR\\WnfStateName", "content": "\\xe5\\xd0\\xbd\\xa3mN\\xc6A" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4253, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4254, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "content": "%USERPROFILE%\\AppData\\Local" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4255, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,104", "eid": 4256, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "content": "C:\\Users\\admin" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,135", "eid": 4257, "data": { "file": "api-ms-win-eventing-provider-l1-1-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,135", "eid": 4258, "data": { "file": "api-ms-win-core-synch-l1-2-0.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,135", "eid": 4259, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4260, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4261, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,135", "eid": 4262, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4263, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4264, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4265, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4266, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4267, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\MonitorRegistry", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4268, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4269, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4270, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4271, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4272, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\FolderValueFlags", "content": "1581568" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4273, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4274, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\ValidateRegItems", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,135", "eid": 4275, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\MonitorRegistry", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,135", "eid": 4276, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,150", "eid": 4277, "data": { "file": "C:\\Windows\\System32\\mssprxy.dll", "pathtofile": null, "moduleaddress": "0x7ffc65b50000" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4278, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF50}\\ProxyStubClsid32\\(Default)", "content": "{A5EBA07A-DAE8-4d15-B12F-728EFD8A9866}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4279, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{AB310581-AC80-11D1-8DF3-00C04FB6EF55}\\ProxyStubClsid32\\(Default)", "content": "{A5EBA07A-DAE8-4d15-B12F-728EFD8A9866}" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,150", "eid": 4280, "data": { "file": "C:\\Windows\\System32\\propsys.dll", "pathtofile": null, "moduleaddress": "0x7ffc728f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,150", "eid": 4281, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4282, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4283, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData", "content": "%USERPROFILE%\\AppData\\Local" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4284, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4285, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3968686040-3210279463-847977608-1001\\ProfileImagePath", "content": "C:\\Users\\admin" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4286, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4287, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4288, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,150", "eid": 4289, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx\\PackageRepositoryRoot", "content": "C:\\ProgramData\\Microsoft\\Windows\\AppRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4290, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00&\\x00\\xbc\\x12\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4291, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4292, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4293, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4294, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4295, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState", "content": "$\\x00\\x00\\x004(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x13\\x00\\x00\\x00\\x00\\x00\\x00\\x00b\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4296, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4297, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4298, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4299, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4300, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4301, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4302, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4303, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4304, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4305, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4306, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4307, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4308, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4309, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4310, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4311, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4312, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4313, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4314, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4315, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowStatusBar", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4316, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4317, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4318, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4319, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4320, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4321, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4322, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4323, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,182", "eid": 4324, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4325, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\AlwaysShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4326, "data": { "regkey": "HKEY_CURRENT_USER\\Software\\Classes\\Directory\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4327, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4328, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4329, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4330, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Name", "content": "Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4331, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4332, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4333, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\RelativePath", "content": "Microsoft\\Windows\\Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4334, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4335, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4336, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21786" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4337, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4338, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4339, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4340, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4341, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4342, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4343, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4344, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4345, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4346, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4347, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4348, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4349, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4350, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Start Menu", "content": "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4351, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Category", "content": "3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4352, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Name", "content": "Common Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4353, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParentFolder", "content": "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4354, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4355, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\RelativePath", "content": "Microsoft\\Windows\\Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4356, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4357, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4358, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21786" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4359, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4360, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4361, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4362, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4363, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4364, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4365, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4366, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4367, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4368, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4369, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4370, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4371, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,197", "eid": 4372, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Start Menu", "content": "%ProgramData%\\Microsoft\\Windows\\Start Menu" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4373, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4374, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Name", "content": "Recent" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4375, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParentFolder", "content": "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4376, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4377, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\RelativePath", "content": "Microsoft\\Windows\\Recent" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4378, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4379, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InfoTip", "content": "@shell32,dll,-12692" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4380, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalizedName", "content": "@%SystemRoot%\\system32\\shell32.dll,-21797" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4381, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-117" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4382, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4383, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4384, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4385, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4386, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4387, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4388, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4389, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4390, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4391, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4392, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4393, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{AE50C081-EBD2-438A-8655-8A092E34987A}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4394, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Recent", "content": "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Recent" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4395, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4396, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name", "content": "Windows" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4397, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4398, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4399, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4400, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4401, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4402, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4403, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4404, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4405, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4406, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4407, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4408, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4409, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4410, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4411, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4412, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4413, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4414, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4415, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4416, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4417, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Name", "content": "System" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4418, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4419, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4420, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4421, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4422, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4423, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4424, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4425, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4426, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4427, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4428, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4429, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4430, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4431, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4432, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4433, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4434, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4435, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4436, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4437, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Category", "content": "4" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4438, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Name", "content": "Personal" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4439, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParentFolder", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4440, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4441, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\RelativePath", "content": "Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4442, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\ParsingName", "content": "shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4443, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4444, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalizedName", "content": "@%SystemRoot%\\system32\\windows.storage.dll,-21770" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4445, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Icon", "content": "%SystemRoot%\\system32\\imageres.dll,-112" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4446, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4447, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4448, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4449, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4450, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Roamable", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4451, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PreCreate", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4452, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4453, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4454, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4455, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\Attributes", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4456, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4457, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4458, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Personal", "content": "%USERPROFILE%\\Documents" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4459, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Category", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4460, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Name", "content": "Fonts" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4461, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParentFolder", "content": "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4462, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Description", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4463, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\RelativePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4464, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\ParsingName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4465, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InfoTip", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4466, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalizedName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4467, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Icon", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4468, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Security", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4469, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResource", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4470, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\StreamResourceType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4471, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\LocalRedirectOnly", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4472, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Roamable", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4473, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PreCreate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4474, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Stream", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4475, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\PublishExpandedPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4476, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\DefinitionFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4477, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\Attributes", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4478, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\FolderTypeID", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,213", "eid": 4479, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}\\InitFolderHandler", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,229", "eid": 4480, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00R\\xbd\\xbb\\x88\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x001\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,229", "eid": 4481, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,229", "eid": 4482, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xbaA\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00&\\x00\\xbc\\x12\\x1f\\x00\\x00\\x00\\x04@\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x003\\x003\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,229", "eid": 4483, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,229", "eid": 4484, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\x06\\xe7\\x03\\xff\\x00\\x00\\x00\\x16\\x00\\x00\\x00\\x9d\\x7f\\xd7`\\x1e\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00T\\x00O\\x00R\\x00A\\x00G\\x00E\\x00#\\x00V\\x00o\\x00l\\x00u\\x00m\\x00e\\x00#\\x00{\\x00e\\x003\\x002\\x00a\\x009\\x004\\x004\\x002\\x00-\\x005\\x00a\\x00f\\x002\\x00-\\x001\\x001\\x00f\\x001\\x00-\\x00a\\x00e\\x002\\x00c\\x00-\\x008\\x000\\x006\\x00e\\x006\\x00f\\x006\\x00e\\x006\\x009\\x006\\x003\\x00}\\x00#\\x000\\x000\\x000\\x000\\x000\\x000\\x000\\x00E\\x00D\\x00D\\x00C\\x000\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,229", "eid": 4485, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Generation", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,229", "eid": 4486, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask", "content": "32" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4487, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Data", "content": "\\xd6\r\\x00\\x00\r\\xf0\\xad\\xba\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x80#\\x00\\x00\\x00\\x07\\x02H\\x01\\xfe\\x00\\x00\\x00\\x11\\x00\\x00\\x00x\\x00'\\xca\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\\x00\\\\x00?\\x00\\\\x00S\\x00C\\x00S\\x00I\\x00#\\x00C\\x00d\\x00R\\x00o\\x00m\\x00&\\x00V\\x00e\\x00n\\x00_\\x00<\\x00W\\x00O\\x00O\\x00T\\x00>\\x00&\\x00P\\x00r\\x00o\\x00d\\x00_\\x00H\\x00L\\x00-\\x00P\\x00Q\\x00-\\x00S\\x00V\\x00_\\x00W\\x00B\\x008\\x00#\\x004\\x00&\\x003\\x005\\x004\\x002\\x004\\x008\\x006\\x007\\x00&\\x000\\x00&\\x000\\x001\\x000\\x000\\x000\\x000\\x00#\\x00{\\x005\\x003\\x00f\\x005\\x006\\x003\\x000\\x00d\\x00-\\x00b\\x006\\x00b\\x00f\\x00-\\x001\\x001\\x00d\\x000\\x00-\\x009\\x004\\x00f\\x002\\x00-\\x000\\x000\\x00a\\x000\\x00c\\x009\\x001\\x00e\\x00f\\x00b\\x008\\x00b\\x00}\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4488, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Generation", "content": "1" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,244", "eid": 4489, "data": { "file": "C:\\Windows\\System32\\windows.storage.dll", "pathtofile": null, "moduleaddress": "0x7ffc73790000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,244", "eid": 4490, "data": { "file": "api-ms-win-downlevel-shell32-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc775b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,244", "eid": 4491, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4492, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4493, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4494, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\DllPath", "content": "C:\\Windows\\System32\\Windows.ApplicationModel.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4495, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4496, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4497, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4498, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4499, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4500, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4501, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,244", "eid": 4502, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.ApplicationModel.LimitedAccessFeatures\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,244", "eid": 4503, "data": { "file": "C:\\Windows\\System32\\Windows.ApplicationModel.dll", "pathtofile": null, "moduleaddress": "0x7ffc63700000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,244", "eid": 4504, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,260", "eid": 4505, "data": { "file": "C:\\Windows\\System32\\bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffc75fa0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,260", "eid": 4506, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,260", "eid": 4507, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4508, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4509, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\(Default)", "content": "04c19204-10d9-450a-95c4-2910c8f72be3" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4510, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4511, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4512, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\DllPath", "content": "C:\\Windows\\System32\\CryptoWinRT.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4513, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4514, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4515, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4516, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4517, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4518, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4519, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4520, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.CryptographicBuffer\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,260", "eid": 4521, "data": { "file": "C:\\Windows\\System32\\CryptoWinRT.dll", "pathtofile": null, "moduleaddress": "0x7ffc51a40000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,260", "eid": 4522, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4523, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4524, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4525, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\DllPath", "content": "C:\\Windows\\System32\\CryptoWinRT.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4526, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4527, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4528, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4529, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4530, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4531, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4532, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4533, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmNames\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4534, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4535, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4536, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\DllPath", "content": "C:\\Windows\\System32\\CryptoWinRT.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4537, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4538, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4539, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4540, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4541, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4542, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4543, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4544, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Security.Cryptography.Core.HashAlgorithmProvider\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4545, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\LimitedAccessFeatures\\com.microsoft.windows.taskbar.requestPinSecondaryTile\\Expiration", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4546, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4547, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4548, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\DllPath", "content": "C:\\Windows\\System32\\wpnapps.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4549, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Threading", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4550, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4551, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4552, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateAsUser", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4553, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4554, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateInBrokerForMediumILContainer", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4555, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,260", "eid": 4556, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.SecondaryTile\\ActivateOnHostFlags", "content": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,275", "eid": 4557, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4558, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4559, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4560, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\DllPath", "content": "C:\\Windows\\System32\\TileDataRepository.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4561, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4562, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4563, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4564, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4565, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4566, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4567, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,275", "eid": 4568, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.SecondaryTileStore\\ActivateOnHostFlags", "content": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,275", "eid": 4569, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,291", "eid": 4570, "data": { "file": "C:\\Windows\\System32\\TileDataRepository.dll", "pathtofile": null, "moduleaddress": "0x7ffc61260000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,291", "eid": 4571, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,291", "eid": 4572, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4573, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4574, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Server", "content": "UserManager" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4575, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4576, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4577, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4578, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4579, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4580, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4581, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4582, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4583, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.Internal.UserManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4584, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ExePath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4585, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\CommandLine", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4586, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\IdentityType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4587, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\Permissions", "content": "\\x01\\x00\\x14\\x80d\\x00\\x00\\x00p\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x004\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4588, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ActivatableClasses", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4589, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ServerType", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4590, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\AppId", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4591, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\Identity", "content": "nt authority\\system" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4592, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ServiceName", "content": "UserManager" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4593, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\Server\\UserManager\\ExplicitPsmActivationType", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4594, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{252E7F79-ACFA-4EA2-9A7E-FA27A8A4D3D9}\\ProxyStubClsid32\\(Default)", "content": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4595, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4596, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4597, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\(Default)", "content": "Windows.System.User.ProxyStubFactory" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4598, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4599, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4600, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\usermgrproxy.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4601, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4602, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4603, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4604, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\(Default)", "content": "Windows.System.User.ProxyStubFactory" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4605, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4606, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4607, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\usermgrproxy.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4608, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,291", "eid": 4609, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{1BAC8681-2965-4FFC-92D1-170CA4099E01}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,307", "eid": 4610, "data": { "file": "C:\\Windows\\System32\\usermgrproxy.dll", "pathtofile": null, "moduleaddress": "0x7ffc6e1f0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,307", "eid": 4611, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4612, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{100EB64B-B24C-4C38-8964-720D926D05A4}\\ProxyStubClsid32\\(Default)", "content": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4613, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{DF9A26C6-E746-4BCD-B5D4-120103C4209B}\\ProxyStubClsid32\\(Default)", "content": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4614, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4615, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4616, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4617, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4618, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4619, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4620, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4621, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4622, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4623, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4624, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.SecondaryTileView\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4625, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{b3f72108-5c5c-469b-a5e5-3f64d2a39b01}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4626, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4627, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4628, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4629, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4630, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4631, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4632, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4633, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4634, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4635, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4636, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.Application\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4637, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{d81e96f1-a89c-417e-9335-59531026309d}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4638, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{3bed20a5-6dee-4297-b976-3b30df69a7aa}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4639, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7f290da0-75e3-5885-898d-1f5b1ed47ed2}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4640, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{9ed07b24-36fd-543b-948e-b01fe5814b49}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4641, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{efe869fc-5841-55f1-aa56-82c7219aaa09}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4642, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4643, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4644, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\DllPath", "content": "C:\\Windows\\System32\\wpnapps.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4645, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4646, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4647, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4648, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4649, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4650, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateInBrokerForMediumILContainer", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4651, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4652, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.Shell.TaskbarManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4653, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4654, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4655, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\DllPath", "content": "C:\\Windows\\System32\\windows.internal.shell.broker.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4656, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4657, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\TrustLevel", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4658, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4659, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4660, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4661, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4662, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,307", "eid": 4663, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.TaskbarPinnableSurface\\ActivateOnHostFlags", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,822", "eid": 4664, "data": { "file": "gdi32.dll", "pathtofile": null, "moduleaddress": "0x7ffc77ed0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,822", "eid": 4665, "data": { "file": "C:\\Windows\\System32\\windows.internal.shell.broker.dll", "pathtofile": null, "moduleaddress": "0x7ffc5b5a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,822", "eid": 4666, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,822", "eid": 4667, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4668, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{7E470A8A-3ACD-5913-AF64-4AB78355BE5F}\\ProxyStubClsid32\\(Default)", "content": "{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4669, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4670, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4671, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4672, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4673, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4674, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\PCShellCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4675, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4676, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4677, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4678, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4679, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4680, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4681, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\PCShellCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4682, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4683, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{9F1FA092-87AA-C78A-4073-7E873ED1E3CF}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,854", "eid": 4684, "data": { "file": "C:\\Windows\\System32\\PCShellCommonProxyStub.dll", "pathtofile": null, "moduleaddress": "0x7ffc5cbd0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,854", "eid": 4685, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,854", "eid": 4686, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4687, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4688, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4689, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\DllPath", "content": "C:\\Windows\\System32\\wpnapps.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4690, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Threading", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4691, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4692, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4693, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4694, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4695, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateInBrokerForMediumILContainer", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4696, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4697, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.UI.StartScreen.StartScreenManager\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4698, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4699, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Server", "content": "UserManager" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4700, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4701, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4702, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4703, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4704, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4705, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4706, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4707, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4708, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\Permissions", "content": "\\x01\\x00\\x14\\x80\\x9c\\x00\\x00\\x00\\xa8\\x00\\x00\\x00\\x14\\x00\\x00\\x000\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x14\\x00\\x04\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x10\\x00\\x00\\x02\\x00l\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x1f\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x0f\\x02\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x008\\x00\\x1f\\x00\\x00\\x00\\x01\n\\x00\\x00\\x00\\x00\\x00\\x0f\\x03\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\xceJ\\x93Y\\xb9\\xcf\\x0buu\\xc0\\xf2\\x9b\\xb2\\xb4\\xc2\\x98\\xd4F\\xdd\\xf9\\x02z\\x87\\xec\\x14e\\x11w\\xd6\\xe9\\x96U\\x00\\x00\\x14\\x00\\x1f\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4709, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.System.User\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,854", "eid": 4710, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{155EB23B-242A-45E0-A2E9-3171FC6A7FDD}\\ProxyStubClsid32\\(Default)", "content": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4711, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{e44ea1df-bb85-5a8c-bddc-c8e960c355c9}\\ProxyStubClsid32\\(Default)", "content": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4712, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8cbd762a-1222-5ee5-b745-489e7a42c6ec}\\ProxyStubClsid32\\(Default)", "content": "{1BAC8681-2965-4FFC-92D1-170CA4099E01}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4713, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4714, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4715, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\DllPath", "content": "C:\\Windows\\System32\\TileDataRepository.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4716, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4717, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4718, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4719, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4720, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4721, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4722, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4723, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.Tiles.TileStore\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4724, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivationType", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4725, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Server", "content": "StateRepository" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4726, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\DllPath", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4727, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Threading", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4728, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\TrustLevel", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4729, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4730, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateAsUser", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4731, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4732, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4733, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4734, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.StateRepository.TileView\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4735, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{6d3bc882-23a4-4706-b8fa-fc7de2fc325d}\\ProxyStubClsid32\\(Default)", "content": "{c53e07ec-25f3-4093-aa39-fc67ea22e99d}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4736, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces\\DefaultStart", "content": "Windows.Internal.ApplicationModel.StartPinnableSurface" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4737, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivationType", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4738, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Server", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4739, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\DllPath", "content": "C:\\Windows\\System32\\StartTileData.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4740, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Threading", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4741, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\TrustLevel", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,869", "eid": 4742, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\RemoteServer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,885", "eid": 4743, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateAsUser", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,885", "eid": 4744, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInSharedBroker", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,885", "eid": 4745, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateInBrokerForMediumILContainer", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,885", "eid": 4746, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\Permissions", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,885", "eid": 4747, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId\\Windows.Internal.ApplicationModel.StartPinnableSurface\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:14,885", "eid": 4748, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:14,885", "eid": 4749, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,885", "eid": 4750, "data": { "file": "C:\\Windows\\System32\\StartTileData.dll", "pathtofile": null, "moduleaddress": "0x7ffc5fb10000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,885", "eid": 4751, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,885", "eid": 4752, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,885", "eid": 4753, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,900", "eid": 4754, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,900", "eid": 4755, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,900", "eid": 4756, "data": { "file": "api-ms-win-downlevel-shell32-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffc775b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:14,900", "eid": 4757, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,900", "eid": 4758, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,916", "eid": 4759, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,932", "eid": 4760, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel\\PinnableSurfaces\\DefaultStart", "content": "Windows.Internal.ApplicationModel.StartPinnableSurface" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:02:14,932", "eid": 4761, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\AdminCapabilities\\shellExperience", "content": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:14,932", "eid": 4762, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:19,916", "eid": 4763, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:19,916", "eid": 4764, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:19,947", "eid": 4765, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:19,947", "eid": 4766, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:25,025", "eid": 4767, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "read", "object": "file", "timestamp": "2026-05-28 22:02:26,104", "eid": 4768, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:02:26,104", "eid": 4769, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:26,104", "eid": 4770, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:26,104", "eid": 4771, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "write", "object": "file", "timestamp": "2026-05-28 22:02:26,104", "eid": 4772, "data": { "file": "\\Device\\NamedPipe\\LOCAL\\mojo.9188.10632.18297276111718467407" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,676", "eid": 4773, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,769", "eid": 4774, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,769", "eid": 4775, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,769", "eid": 4776, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,769", "eid": 4777, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,769", "eid": 4778, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,769", "eid": 4779, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\Com+Enabled", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4780, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4781, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": "Delivery Optimization User" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4782, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalService", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4783, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4784, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4785, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RunAs", "content": "Interactive User" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4786, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateAtStorage", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4787, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ROTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4788, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppIDFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4789, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\MGOTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4790, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProcessMitigationPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4791, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4792, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission", "content": "\\x01\\x00\\x04\\x80`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x02\\x00L\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4793, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4794, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4795, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4796, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RemoteServerName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4797, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\SRPTrustLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4798, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\PreferredServerBitness", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4799, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LoadUserSettings", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,848", "eid": 4800, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProtectionLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,863", "eid": 4801, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,863", "eid": 4802, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock\\AllowDevelopmentWithoutDevLicense", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,863", "eid": 4803, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,863", "eid": 4804, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseActivationAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,879", "eid": 4805, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,879", "eid": 4806, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\AppCompat\\RaiseDefaultAuthnLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,879", "eid": 4807, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AccessPermission", "content": "\\x01\\x00\\x04\\x80\\\\x00\\x00\\x00l\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x02\\x00H\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\n\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x03\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x03\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,879", "eid": 4808, "data": { "file": "C:\\Windows\\system32\\rpcss.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,894", "eid": 4809, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)", "content": "{00000320-0000-0000-C000-000000000046}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:01,894", "eid": 4810, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL", "content": "combase.dll" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,894", "eid": 4811, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,894", "eid": 4812, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,926", "eid": 4813, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,019", "eid": 4814, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ffc730a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,019", "eid": 4815, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,035", "eid": 4816, "data": { "regkey": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,066", "eid": 4817, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,066", "eid": 4818, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,066", "eid": 4819, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": "Delivery Optimization User Class" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,066", "eid": 4820, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,066", "eid": 4821, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,066", "eid": 4822, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\domgmt.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,066", "eid": 4823, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4824, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\MaxSxSHashCount", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4825, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4826, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4827, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": "Delivery Optimization User Class" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4828, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4829, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4830, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\(Default)", "content": "%SystemRoot%\\system32\\domgmt.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4831, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4832, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppID", "content": "{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4833, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4834, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\(Default)", "content": "Delivery Optimization User" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4835, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LocalService", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4836, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4837, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\DllSurrogate", "content": "" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4838, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RunAs", "content": "Interactive User" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4839, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ActivateAtStorage", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4840, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ROTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4841, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AppIDFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4842, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\MGOTFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4843, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProcessMitigationPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4844, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4845, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LaunchPermission", "content": "\\x01\\x00\\x04\\x80`\\x00\\x00\\x00p\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x00\\x00\\x02\\x00L\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x0b\\x00\\x00\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x05\\x12\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00!\\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x05 \\x00\\x00\\x00 \\x02\\x00\\x00" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4846, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyAuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4847, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole\\LegacyImpersonationLevel", "content": "2" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4848, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\AuthenticationLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4849, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\RemoteServerName", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4850, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\SRPTrustLevel", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4851, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\PreferredServerBitness", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4852, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\LoadUserSettings", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,082", "eid": 4853, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\\ProtectionLevel", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,754", "eid": 4854, "data": { "file": "C:\\Windows\\System32\\domgmt.dll", "pathtofile": null, "moduleaddress": "0x7ffc1a000000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,754", "eid": 4855, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,754", "eid": 4856, "data": { "file": "combase.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4857, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\{8863F93E-77EA-4C67-A86F-7638E3A568A6}\\ProxyStubClsid32\\(Default)", "content": "{A6FF50C0-56C0-71CA-5732-BED303A59628}" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4858, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4859, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4860, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4861, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4862, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4863, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4864, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4865, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\ActivateOnHostFlags", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4866, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4867, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\(Default)", "content": "PSFactoryBuffer" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4868, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\InprocServer32", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4869, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4870, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\(Default)", "content": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4871, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\InProcServer32\\ThreadingModel", "content": "Both" } }, { "event": "read", "object": "registry", "timestamp": "2026-05-28 22:03:02,754", "eid": 4872, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{A6FF50C0-56C0-71CA-5732-BED303A59628}\\AppID", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,785", "eid": 4873, "data": { "file": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll", "pathtofile": null, "moduleaddress": "0x7ffc66790000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:02,785", "eid": 4874, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:07,848", "eid": 4875, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:07,848", "eid": 4876, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:07,848", "eid": 4877, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:07,848", "eid": 4878, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:07,848", "eid": 4879, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:07,848", "eid": 4880, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:07,848", "eid": 4881, "data": { "file": "oleaut32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:01,598", "eid": 4882, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x7ffc76030000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,832", "eid": 4883, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemprox.dll", "pathtofile": null, "moduleaddress": "0x7ffc61080000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,894", "eid": 4884, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", "pathtofile": null, "moduleaddress": "0x7ffc63bb0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,957", "eid": 4885, "data": { "file": "C:\\Windows\\System32\\wbem\\fastprox.dll", "pathtofile": null, "moduleaddress": "0x7ffc600a0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,129", "eid": 4886, "data": { "file": "C:\\Windows\\System32\\wbem\\wmiutils.dll", "pathtofile": null, "moduleaddress": "0x7ffc708e0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,473", "eid": 4887, "data": { "file": "C:\\Windows\\System32\\wbem\\cimwin32.dll", "pathtofile": null, "moduleaddress": "0x7ffc19650000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:05,551", "eid": 4888, "data": { "file": "WMI.DLL", "pathtofile": null, "moduleaddress": "0x2c2ee1b0000" } }, { "event": "load", "object": "library", "timestamp": "2026-05-28 22:03:04,863", "eid": 4889, "data": { "file": "C:\\Windows\\System32\\wbem\\wbemcore.dll", "pathtofile": null, "moduleaddress": "0x7ffc1a200000" } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [], "com_activations": [] } }, "debug": { "log": "2026-05-28 17:52:18,890 [root] INFO: Date set to: 20260528T18:01:50, timeout set to: 200\n2026-05-28 18:01:50,012 [root] DEBUG: Starting analyzer from: C:\\_a4sjgfa\n2026-05-28 18:01:50,013 [root] DEBUG: Storing results at: C:\\nKjZGmJV\n2026-05-28 18:01:50,013 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\vgJhjNQ\n2026-05-28 18:01:50,013 [root] DEBUG: Python path: C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64\n2026-05-28 18:01:50,014 [root] INFO: analysis running as an admin\n2026-05-28 18:01:50,014 [root] INFO: analysis package specified: \"edge\"\n2026-05-28 18:01:50,014 [root] DEBUG: importing analysis package module: \"modules.packages.edge\"...\n2026-05-28 18:01:50,015 [root] DEBUG: imported analysis package \"edge\"\n2026-05-28 18:01:50,015 [root] DEBUG: initializing analysis package \"edge\"...\n2026-05-28 18:01:50,015 [root] DEBUG: New location of moved file: https://sugarcraft.net/\n2026-05-28 18:01:50,015 [root] INFO: Analyzer: Package modules.packages.edge does not specify a dll option\n2026-05-28 18:01:50,015 [root] INFO: Analyzer: Package modules.packages.edge does not specify a dll_64 option\n2026-05-28 18:01:50,015 [root] INFO: Analyzer: Package modules.packages.edge does not specify a loader option\n2026-05-28 18:01:50,016 [root] INFO: Analyzer: Package modules.packages.edge does not specify a loader_64 option\n2026-05-28 18:01:50,030 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-05-28 18:01:50,042 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-05-28 18:01:50,048 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-05-28 18:01:50,057 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-05-28 18:01:50,060 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-05-28 18:01:50,060 [lib.api.screenshot] ERROR: No module named 'PIL'\n2026-05-28 18:01:50,061 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-05-28 18:01:50,062 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-05-28 18:01:50,062 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-05-28 18:01:50,062 [root] DEBUG: attempting to configure 'Browser' from data\n2026-05-28 18:01:50,062 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-05-28 18:01:50,063 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-05-28 18:01:50,063 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-05-28 18:01:50,063 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-05-28 18:01:50,063 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-05-28 18:01:50,064 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-05-28 18:01:50,064 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-05-28 18:01:50,064 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file\n2026-05-28 18:01:50,064 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-05-28 18:01:50,064 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-05-28 18:01:50,065 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-05-28 18:01:50,065 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-05-28 18:01:50,065 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-05-28 18:01:50,067 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 7940)\n2026-05-28 18:01:50,068 [modules.auxiliary.disguise] INFO: Disguising GUID to f236088c-d77a-4da3-9aa2-7c7045457595\n2026-05-28 18:01:50,068 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-05-28 18:01:50,073 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-05-28 18:01:50,073 [root] DEBUG: attempting to configure 'Human' from data\n2026-05-28 18:01:50,073 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-05-28 18:01:50,074 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-05-28 18:01:50,074 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-05-28 18:01:50,075 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-05-28 18:01:50,075 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-05-28 18:01:50,075 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-05-28 18:01:50,076 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-05-28 18:01:50,077 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2026-05-28 18:01:50,077 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-05-28 18:01:50,078 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-05-28 18:01:50,078 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-05-28 18:01:50,078 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-05-28 18:01:50,079 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-05-28 18:01:50,081 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process\n2026-05-28 18:01:50,081 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-05-28 18:01:50,081 [root] INFO: Interactive mode enabled - injecting into explorer shell\n2026-05-28 18:01:50,115 [lib.api.process] INFO: Monitor config for process 4584: C:\\_a4sjgfa\\dll\\4584.ini\n2026-05-28 18:01:50,119 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:01:50,121 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:01:50,164 [root] DEBUG: Loader: Injecting process 4584 with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:50,340 [root] DEBUG: 4584: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:01:50,341 [root] DEBUG: 4584: Disabling sleep skipping.\n2026-05-28 18:01:50,341 [root] DEBUG: 4584: Interactive desktop enabled.\n2026-05-28 18:01:50,342 [root] DEBUG: 4584: Dropped file limit defaulting to 100.\n2026-05-28 18:01:50,343 [root] DEBUG: 4584: Interactive desktop - injecting Explorer Shell\n2026-05-28 18:01:50,348 [root] DEBUG: 4584: YaraInit: Compiled 44 rule files\n2026-05-28 18:01:50,354 [root] DEBUG: 4584: YaraInit: Compiled rules saved to file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:01:50,374 [root] DEBUG: 4584: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:01:50,375 [root] DEBUG: 4584: YaraScan: Scanning 0x00007FF65E010000, size 0x545316\n2026-05-28 18:01:50,463 [root] DEBUG: 4584: Monitor initialised: 64-bit capemon loaded in process 4584 at 0x00007FFC33AB0000, thread 5268, image base 0x00007FF65E010000, stack from 0x000000000F0F1000-0x000000000F100000\n2026-05-28 18:01:50,464 [root] DEBUG: 4584: Commandline: C:\\Windows\\Explorer.EXE\n2026-05-28 18:01:50,477 [root] DEBUG: 4584: Hooked 69 out of 69 functions\n2026-05-28 18:01:50,509 [root] DEBUG: 4584: Syscall hook installed, syscall logging level 1\n2026-05-28 18:01:50,515 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-05-28 18:01:50,516 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:50,517 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:01:52,673 [root] DEBUG: 4584: AllocationHandler: Adding allocation to tracked region list: 0x00007DF47AC61000, size: 0x1000.\n2026-05-28 18:01:52,703 [root] DEBUG: 4584: AllocationHandler: Adding allocation to tracked region list: 0x00007DF47AC51000, size: 0x1000.\n2026-05-28 18:01:52,703 [root] DEBUG: 4584: AllocationHandler: Adding allocation to tracked region list: 0x00007DF47AC41000, size: 0x1000.\n2026-05-28 18:01:52,705 [root] DEBUG: 4584: AllocationHandler: Adding allocation to tracked region list: 0x00007DF47AC31000, size: 0x1000.\n2026-05-28 18:01:53,918 [root] DEBUG: 4584: caller_dispatch: Added region at 0x00007FF65E010000 to tracked regions list (combase::CoCreateInstance returns to 0x00007FF65E0B8FBA, thread 4636).\n2026-05-28 18:01:53,921 [root] DEBUG: 4584: YaraScan: Scanning 0x00007FF65E010000, size 0x545316\n2026-05-28 18:01:53,923 [root] DEBUG: 4584: YaraScan: Scanning 0x00007FF65E010000, size 0x545316\n2026-05-28 18:01:53,960 [root] DEBUG: 4584: ProcessImageBase: Main module image at 0x00007FF65E010000 unmodified (entropy change 5.180712e-07)\n2026-05-28 18:01:53,962 [root] DEBUG: 4584: ProcessImageBase: Main module image at 0x00007FF65E010000 unmodified (entropy change 5.180712e-07)\n2026-05-28 18:01:54,650 [lib.api.process] INFO: Monitor config for process 740: C:\\_a4sjgfa\\dll\\740.ini\n2026-05-28 18:01:54,652 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:01:54,653 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:01:54,658 [root] DEBUG: Loader: Injecting process 740 with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:54,659 [root] DEBUG: 740: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:01:54,660 [root] DEBUG: 740: Disabling sleep skipping.\n2026-05-28 18:01:54,660 [root] DEBUG: 740: Interactive desktop enabled.\n2026-05-28 18:01:54,660 [root] DEBUG: 740: Dropped file limit defaulting to 100.\n2026-05-28 18:01:54,663 [root] DEBUG: 740: Services hook set enabled\n2026-05-28 18:01:54,665 [root] DEBUG: 740: YaraInit: Compiled rules loaded from existing file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:01:54,677 [root] DEBUG: 740: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:01:54,677 [root] DEBUG: 740: Monitor initialised: 64-bit capemon loaded in process 740 at 0x00007FFC33AB0000, thread 4964, image base 0x00007FF780360000, stack from 0x000000754D074000-0x000000754D080000\n2026-05-28 18:01:54,678 [root] DEBUG: 740: Commandline: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n2026-05-28 18:01:54,688 [root] DEBUG: 740: Hooked 69 out of 69 functions\n2026-05-28 18:01:54,689 [root] INFO: Loaded monitor into process with pid 740\n2026-05-28 18:01:54,690 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-05-28 18:01:54,690 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:54,691 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:01:56,732 [root] DEBUG: 4584: CreateProcessHandler: Injection info set for new process 7912: C:\\Windows\\system32\\taskmgr.exe, ImageBase: 0x00007FF6C28B0000\n2026-05-28 18:01:56,733 [root] INFO: Announced 64-bit process name: Taskmgr.exe pid: 7912\n2026-05-28 18:01:56,733 [lib.api.process] INFO: Monitor config for process 7912: C:\\_a4sjgfa\\dll\\7912.ini\n2026-05-28 18:01:56,734 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:01:56,735 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:01:56,740 [root] DEBUG: Loader: Injecting process 7912 (thread 1496) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:56,741 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-05-28 18:01:56,741 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:56,742 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:01:56,744 [root] INFO: Announced 64-bit process name: Taskmgr.exe pid: 7912\n2026-05-28 18:01:56,744 [lib.api.process] INFO: Monitor config for process 7912: C:\\_a4sjgfa\\dll\\7912.ini\n2026-05-28 18:01:56,745 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:01:56,745 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:01:56,749 [root] DEBUG: Loader: Injecting process 7912 (thread 1496) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:56,750 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2026-05-28 18:01:56,750 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:56,751 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:01:56,753 [root] DEBUG: 4584: DLL loaded at 0x00007FFC64EC0000: C:\\Windows\\SYSTEM32\\MPR (0x1d000 bytes).\n2026-05-28 18:01:56,753 [root] DEBUG: 4584: DLL loaded at 0x00007FFC66D50000: C:\\Windows\\SYSTEM32\\pcacli (0x16000 bytes).\n2026-05-28 18:01:56,754 [root] DEBUG: 4584: DLL loaded at 0x00007FFC630F0000: C:\\Windows\\System32\\sfc_os (0x12000 bytes).\n2026-05-28 18:01:56,760 [root] INFO: Announced 64-bit process name: Taskmgr.exe pid: 7912\n2026-05-28 18:01:56,760 [lib.api.process] INFO: Monitor config for process 7912: C:\\_a4sjgfa\\dll\\7912.ini\n2026-05-28 18:01:56,761 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:01:56,761 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:01:56,765 [root] DEBUG: Loader: Injecting process 7912 with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:56,766 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 1496, handle 0x124\n2026-05-28 18:01:56,766 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2026-05-28 18:01:56,767 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:56,768 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:01:56,866 [root] DEBUG: 7912: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:01:56,867 [root] DEBUG: 7912: Interactive desktop enabled.\n2026-05-28 18:01:56,867 [root] DEBUG: 7912: Dropped file limit defaulting to 100.\n2026-05-28 18:01:56,951 [root] DEBUG: 7912: Disabling sleep skipping.\n2026-05-28 18:01:56,955 [root] DEBUG: 7912: YaraInit: Compiled rules loaded from existing file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:01:56,970 [root] DEBUG: 7912: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:01:56,971 [root] DEBUG: 7912: YaraScan: Scanning 0x00007FF6C28B0000, size 0x12fcfe\n2026-05-28 18:01:56,978 [root] DEBUG: 7912: Monitor initialised: 64-bit capemon loaded in process 7912 at 0x00007FFC33AB0000, thread 1496, image base 0x00007FF6C28B0000, stack from 0x000000F09D764000-0x000000F09D770000\n2026-05-28 18:01:56,979 [root] DEBUG: 7912: Commandline: \"C:\\Windows\\system32\\taskmgr.exe\" /4\n2026-05-28 18:01:56,988 [root] DEBUG: 7912: hook_api: LdrpCallInitRoutine export address 0x00007FFC77FE99BC obtained via GetFunctionAddress\n2026-05-28 18:01:57,027 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-05-28 18:01:57,028 [root] DEBUG: 7912: set_hooks: Unable to hook LockResource\n2026-05-28 18:01:57,044 [root] DEBUG: 7912: Hooked 627 out of 628 functions\n2026-05-28 18:01:57,052 [root] DEBUG: 7912: Syscall hook installed, syscall logging level 1\n2026-05-28 18:01:57,057 [root] DEBUG: 7912: RestoreHeaders: Restored original import table.\n2026-05-28 18:01:57,057 [root] INFO: Loaded monitor into process with pid 7912\n2026-05-28 18:01:57,068 [root] DEBUG: 7912: DLL loaded at 0x00007FFC75440000: C:\\Windows\\system32\\UMPDC (0x12000 bytes).\n2026-05-28 18:01:57,156 [root] DEBUG: 7912: caller_dispatch: Added region at 0x00007FF6C28B0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6C28DFF02, thread 1496).\n2026-05-28 18:01:57,157 [root] DEBUG: 7912: YaraScan: Scanning 0x00007FF6C28B0000, size 0x12fcfe\n2026-05-28 18:01:57,165 [root] DEBUG: 7912: ProcessImageBase: Main module image at 0x00007FF6C28B0000 unmodified (entropy change 0.000000e+00)\n2026-05-28 18:01:57,196 [root] DEBUG: 7912: DLL loaded at 0x00007FFC75FA0000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2026-05-28 18:01:57,202 [root] DEBUG: 7912: DLL loaded at 0x00007FFC765F0000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-05-28 18:01:57,212 [root] DEBUG: 7912: DLL loaded at 0x00007FFC77400000: C:\\Windows\\System32\\MSCTF (0x114000 bytes).\n2026-05-28 18:01:57,254 [root] DEBUG: 7912: DLL loaded at 0x00007FFC66930000: C:\\Windows\\system32\\TextShaping (0xac000 bytes).\n2026-05-28 18:01:57,281 [root] DEBUG: 7912: DLL loaded at 0x00007FFC747F0000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2026-05-28 18:01:57,282 [root] DEBUG: 7912: DLL loaded at 0x00007FFC729F0000: C:\\Windows\\System32\\CoreMessaging (0xf2000 bytes).\n2026-05-28 18:01:57,283 [root] DEBUG: 7912: DLL loaded at 0x00007FFC71EC0000: C:\\Windows\\SYSTEM32\\wintypes (0x155000 bytes).\n2026-05-28 18:01:57,283 [root] DEBUG: 7912: DLL loaded at 0x00007FFC72590000: C:\\Windows\\System32\\CoreUIComponents (0x35b000 bytes).\n2026-05-28 18:01:57,284 [root] DEBUG: 7912: DLL loaded at 0x00007FFC69D70000: C:\\Windows\\SYSTEM32\\textinputframework (0xf9000 bytes).\n2026-05-28 18:01:57,305 [root] DEBUG: 7912: DLL loaded at 0x00007FFC74740000: C:\\Windows\\system32\\msvcp110_win (0x8a000 bytes).\n2026-05-28 18:01:57,306 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6FCE0000: C:\\Windows\\SYSTEM32\\policymanager (0xa1000 bytes).\n2026-05-28 18:01:57,415 [root] DEBUG: 7912: DLL loaded at 0x00007FFC68F00000: C:\\Windows\\System32\\NetworkUXBroker (0x6d000 bytes).\n2026-05-28 18:01:57,436 [root] DEBUG: 7912: DLL loaded at 0x00007FFC65120000: C:\\Windows\\system32\\srumapi (0x14000 bytes).\n2026-05-28 18:01:57,438 [root] DEBUG: 7912: DLL loaded at 0x00007FFC65620000: C:\\Windows\\SYSTEM32\\atlthunk (0xd000 bytes).\n2026-05-28 18:01:57,442 [root] DEBUG: 7912: DLL loaded at 0x00007FFC72B20000: C:\\Windows\\system32\\WTSAPI32 (0x14000 bytes).\n2026-05-28 18:01:57,446 [root] DEBUG: 7912: DLL loaded at 0x00007FFC75020000: C:\\Windows\\system32\\Wldp (0x2d000 bytes).\n2026-05-28 18:01:57,447 [root] DEBUG: 7912: DLL loaded at 0x00007FFC73790000: C:\\Windows\\SYSTEM32\\windows.storage (0x79b000 bytes).\n2026-05-28 18:01:57,473 [root] DEBUG: 7912: DLL loaded at 0x00007FFC75370000: C:\\Windows\\system32\\WINSTA (0x5b000 bytes).\n2026-05-28 18:01:57,492 [root] DEBUG: 7912: DLL loaded at 0x00007FFC711F0000: C:\\Windows\\system32\\XmlLite (0x36000 bytes).\n2026-05-28 18:01:57,496 [root] DEBUG: 7912: DLL loaded at 0x00007FFC701E0000: C:\\Windows\\system32\\WindowsCodecs (0x1b4000 bytes).\n2026-05-28 18:01:57,575 [root] DEBUG: 7912: DLL loaded at 0x00007FFC755E0000: C:\\Windows\\System32\\profapi (0x25000 bytes).\n2026-05-28 18:01:57,577 [root] DEBUG: 7912: DLL loaded at 0x00007FFC69BE0000: C:\\Windows\\System32\\Windows.UI.Immersive (0x139000 bytes).\n2026-05-28 18:01:57,580 [root] DEBUG: 7912: DLL loaded at 0x00007FFC5F9A0000: C:\\Windows\\system32\\OLEACC (0x66000 bytes).\n2026-05-28 18:01:57,614 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6EDF0000: C:\\Windows\\System32\\ActXPrxy (0xa2000 bytes).\n2026-05-28 18:01:57,626 [root] DEBUG: 7912: api-rate-cap: NtWaitForSingleObject hook disabled due to rate\n2026-05-28 18:01:57,628 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6BB00000: C:\\Windows\\system32\\samcli (0x19000 bytes).\n2026-05-28 18:01:57,642 [root] DEBUG: 7912: DLL loaded at 0x00007FFC72AF0000: C:\\Windows\\system32\\SAMLIB (0x28000 bytes).\n2026-05-28 18:01:57,643 [root] DEBUG: 7912: api-rate-cap: NtReleaseMutant hook disabled due to rate\n2026-05-28 18:01:57,656 [root] DEBUG: 7912: DLL loaded at 0x00007FFC74B80000: C:\\Windows\\system32\\netutils (0xc000 bytes).\n2026-05-28 18:01:57,659 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 92, handle 0x5e4:\n2026-05-28 18:01:57,661 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 428, handle 0x5b0: C:\\Windows\\System32\\csrss.exe\n2026-05-28 18:01:57,663 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 512, handle 0x5a8: C:\\Windows\\System32\\csrss.exe\n2026-05-28 18:01:57,664 [root] DEBUG: 7912: DLL loaded at 0x00007FFC5F2A0000: C:\\Windows\\System32\\thumbcache (0x66000 bytes).\n2026-05-28 18:01:57,666 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 600, handle 0x5a8: C:\\Windows\\System32\\winlogon.exe\n2026-05-28 18:01:57,669 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 600 (handle 0x610): 0x00007FF767B80000.\n2026-05-28 18:01:57,670 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 740, handle 0x610: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,672 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 740 (handle 0x634): 0x00007FF780360000.\n2026-05-28 18:01:57,673 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 756, handle 0x634: C:\\Windows\\System32\\fontdrvhost.exe\n2026-05-28 18:01:57,675 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 756 (handle 0x634): 0x00007FF7EE860000.\n2026-05-28 18:01:57,676 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 900, handle 0x634: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,691 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 900 (handle 0x634): 0x00007FF780360000.\n2026-05-28 18:01:57,693 [root] DEBUG: 7912: DLL loaded at 0x00007FFC728F0000: C:\\Windows\\system32\\propsys (0xf6000 bytes).\n2026-05-28 18:01:57,698 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 420, handle 0x634: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,701 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 420 (handle 0x654): 0x00007FF780360000.\n2026-05-28 18:01:57,702 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 712, handle 0x654: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,705 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1064, handle 0x654: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,713 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1064 (handle 0x644): 0x00007FF780360000.\n2026-05-28 18:01:57,714 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1144, handle 0x644: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,721 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1144 (handle 0x644): 0x00007FF780360000.\n2026-05-28 18:01:57,722 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1208, handle 0x644: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,733 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1208 (handle 0x644): 0x00007FF780360000.\n2026-05-28 18:01:57,734 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1260, handle 0x644: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,737 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1260 (handle 0x644): 0x00007FF780360000.\n2026-05-28 18:01:57,738 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1432, handle 0x644: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,746 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1432 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,750 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1520, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,757 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1520 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,764 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1620, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,766 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1620 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,767 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1720, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,769 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1720 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,776 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1748, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,778 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1748 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,782 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1844, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,785 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1844 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,789 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1892, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,792 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1892 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,793 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1976, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,796 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1976 (handle 0x6a0): 0x00007FF780360000.\n2026-05-28 18:01:57,796 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 348, handle 0x6a0: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,799 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 348 (handle 0x6a8): 0x00007FF780360000.\n2026-05-28 18:01:57,800 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2100, handle 0x6a8: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,805 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2100 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,807 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2276, handle 0x6ac: C:\\Windows\\System32\\spoolsv.exe\n2026-05-28 18:01:57,810 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2348, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,816 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2348 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,824 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2512, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,827 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2512 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,828 [root] INFO: Restarting WMI Service\n2026-05-28 18:01:57,830 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6FF20000: C:\\Windows\\System32\\twinapi.appcore (0x203000 bytes).\n2026-05-28 18:01:57,831 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2636, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,835 [root] DEBUG: 7912: DLL loaded at 0x00007FFC63700000: C:\\Windows\\System32\\Windows.ApplicationModel (0xe9000 bytes).\n2026-05-28 18:01:57,836 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2636 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,845 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2792, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,846 [root] DEBUG: 7912: DLL loaded at 0x00007FFC665A0000: C:\\Windows\\System32\\Windows.StateRepositoryPS (0x146000 bytes).\n2026-05-28 18:01:57,851 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2792 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,852 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2808, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,854 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2808 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,855 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2996, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,857 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2996 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,858 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3824, handle 0x6ac: C:\\Windows\\System32\\SearchIndexer.exe\n2026-05-28 18:01:57,860 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3824 (handle 0x6ac): 0x00007FF781A20000.\n2026-05-28 18:01:57,861 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2344, handle 0x6ac: C:\\Windows\\System32\\sihost.exe\n2026-05-28 18:01:57,862 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2344 (handle 0x6ac): 0x00007FF6BC710000.\n2026-05-28 18:01:57,862 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2464, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,865 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2464 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,865 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3752, handle 0x6ac: C:\\Windows\\System32\\taskhostw.exe\n2026-05-28 18:01:57,867 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3752 (handle 0x6ac): 0x00007FF77B4D0000.\n2026-05-28 18:01:57,868 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 392, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,870 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 392 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,871 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4276, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,873 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4484, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,875 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4484 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,876 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4728, handle 0x6ac: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:57,878 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4728 (handle 0x6ac): 0x00007FF780360000.\n2026-05-28 18:01:57,879 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3060, handle 0x6ac: C:\\Windows\\System32\\SearchProtocolHost.exe\n2026-05-28 18:01:57,934 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3060 (handle 0x6ac): 0x00007FF716940000.\n2026-05-28 18:01:57,938 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5152, handle 0x6ac: C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe\n2026-05-28 18:01:57,941 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6A640000: C:\\Windows\\System32\\Bcp47Langs (0x5b000 bytes).\n2026-05-28 18:01:57,969 [root] DEBUG: 7912: DLL loaded at 0x00007FFC741C0000: C:\\Windows\\System32\\sppc (0x25000 bytes).\n2026-05-28 18:01:57,970 [root] DEBUG: 7912: DLL loaded at 0x00007FFC741F0000: C:\\Windows\\System32\\SLC (0x29000 bytes).\n2026-05-28 18:01:57,970 [root] DEBUG: 7912: DLL loaded at 0x00007FFC75560000: C:\\Windows\\System32\\USERENV (0x2e000 bytes).\n2026-05-28 18:01:57,970 [root] DEBUG: 7912: DLL loaded at 0x00007FFC610F0000: C:\\Windows\\System32\\appresolver (0x90000 bytes).\n2026-05-28 18:01:57,991 [root] DEBUG: 7912: DLL loaded at 0x00007FFC72EF0000: C:\\Windows\\SYSTEM32\\apphelp (0x90000 bytes).\n2026-05-28 18:01:57,997 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6AB30000: C:\\Windows\\System32\\StateRepository.Core (0xb1000 bytes).\n2026-05-28 18:01:57,998 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6AC50000: C:\\Windows\\System32\\Windows.StateRepository (0x58e000 bytes).\n2026-05-28 18:01:57,998 [root] DEBUG: 7912: DLL loaded at 0x00007FFC61260000: C:\\Windows\\System32\\TileDataRepository (0x99000 bytes).\n2026-05-28 18:01:58,017 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6A6A0000: C:\\Windows\\SYSTEM32\\windows.staterepositorycore (0x11000 bytes).\n2026-05-28 18:01:58,022 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6A120000: C:\\Windows\\System32\\MrmCoreR (0xf4000 bytes).\n2026-05-28 18:01:58,030 [root] DEBUG: 7912: DLL loaded at 0x00007FFC70130000: C:\\Windows\\System32\\WindowManagementAPI (0xa1000 bytes).\n2026-05-28 18:01:58,031 [root] DEBUG: 7912: DLL loaded at 0x00007FFC69E70000: C:\\Windows\\System32\\InputHost (0x152000 bytes).\n2026-05-28 18:01:58,031 [root] DEBUG: 7912: DLL loaded at 0x00007FFC69FD0000: C:\\Windows\\System32\\Windows.UI (0x141000 bytes).\n2026-05-28 18:01:58,034 [root] DEBUG: 7912: DLL loaded at 0x00007FFC69D20000: C:\\Windows\\SYSTEM32\\languageoverlayutil (0x41000 bytes).\n2026-05-28 18:01:58,040 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6A6C0000: C:\\Windows\\System32\\bcp47mrm (0x2d000 bytes).\n2026-05-28 18:01:58,042 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6B370000: C:\\Windows\\System32\\iertutil (0x2bc000 bytes).\n2026-05-28 18:01:58,055 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5152 (handle 0x740): 0x00007FF70F680000.\n2026-05-28 18:01:58,062 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5216, handle 0x798: C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3745_none_7ded3f327ca60a41\\TiWorker.exe\n2026-05-28 18:01:58,065 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5216 (handle 0x798): 0x00007FF6B6CB0000.\n2026-05-28 18:01:58,066 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5328, handle 0x798: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,069 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5328 (handle 0x798): 0x00007FF780360000.\n2026-05-28 18:01:58,070 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5536, handle 0x798: C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe\n2026-05-28 18:01:58,088 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5536 (handle 0x7a8): 0x00007FF6EB870000.\n2026-05-28 18:01:58,090 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5796, handle 0x7a8: C:\\Windows\\System32\\RuntimeBroker.exe\n2026-05-28 18:01:58,094 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5796 (handle 0x7a8): 0x00007FF77B710000.\n2026-05-28 18:01:58,095 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5956, handle 0x7a8: C:\\Windows\\System32\\RuntimeBroker.exe\n2026-05-28 18:01:58,096 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5956 (handle 0x7a8): 0x00007FF77B710000.\n2026-05-28 18:01:58,097 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3680, handle 0x7a8: C:\\Windows\\System32\\SecurityHealthSystray.exe\n2026-05-28 18:01:58,100 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3680 (handle 0x7a8): 0x00007FF661AB0000.\n2026-05-28 18:01:58,101 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6084, handle 0x7a8: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,102 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6084 (handle 0x7a8): 0x00007FF780360000.\n2026-05-28 18:01:58,103 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4944, handle 0x7a8: C:\\Users\\admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\n2026-05-28 18:01:58,104 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4944 (handle 0x7a8): 0x0000000000320000.\n2026-05-28 18:01:58,105 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5876, handle 0x7a8: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,106 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5876 (handle 0x7a8): 0x00007FF780360000.\n2026-05-28 18:01:58,107 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3552, handle 0x7a8: C:\\Program Files (x86)\\Steam\\steam.exe\n2026-05-28 18:01:58,108 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3552 (handle 0x7a8): 0x00007FF7CB360000.\n2026-05-28 18:01:58,109 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6200, handle 0x7a8: C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe\n2026-05-28 18:01:58,110 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6200 (handle 0x7a8): 0x00007FF6B1860000.\n2026-05-28 18:01:58,110 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6600, handle 0x7a8: C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe\n2026-05-28 18:01:58,111 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6600 (handle 0x7a8): 0x00007FF6B1860000.\n2026-05-28 18:01:58,112 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3392, handle 0x7a8: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe\n2026-05-28 18:01:58,114 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3392 (handle 0x7a8): 0x00007FF7D0050000.\n2026-05-28 18:01:58,117 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6908, handle 0x7a8: C:\\Program Files (x86)\\Common Files\\Steam\\steamservice.exe\n2026-05-28 18:01:58,118 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6908 (handle 0x7a8): 0x0000000000390000.\n2026-05-28 18:01:58,119 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6448, handle 0x7a8: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe\n2026-05-28 18:01:58,120 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6448 (handle 0x7a8): 0x00007FF7D0050000.\n2026-05-28 18:01:58,120 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 7632, handle 0x7a8: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe\n2026-05-28 18:01:58,121 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 7632 (handle 0x7a8): 0x00007FF7D0050000.\n2026-05-28 18:01:58,122 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 7988, handle 0x7a8: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,124 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 7988 (handle 0x7a8): 0x00007FF780360000.\n2026-05-28 18:01:58,124 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 796, handle 0x7a8: C:\\Windows\\System32\\ApplicationFrameHost.exe\n2026-05-28 18:01:58,126 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 796 (handle 0x7a8): 0x00007FF7EECE0000.\n2026-05-28 18:01:58,126 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 7940, handle 0x7a8: C:\\Windows\\System32\\notepad.exe\n2026-05-28 18:01:58,128 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 7940 (handle 0x7a8): 0x00007FF7241A0000.\n2026-05-28 18:01:58,129 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4452, handle 0x7a8: C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextInputHost.exe\n2026-05-28 18:01:58,141 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4452 (handle 0x7a4): 0x00007FF78C870000.\n2026-05-28 18:01:58,203 [root] INFO: Added new file to list with pid 7912 and path C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db\n2026-05-28 18:01:58,223 [root] INFO: Added new file to list with pid 7912 and path C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db\n2026-05-28 18:01:58,350 [root] DEBUG: 7912: DLL loaded at 0x00007FFC74A70000: C:\\Windows\\system32\\IPHLPAPI (0x3b000 bytes).\n2026-05-28 18:01:58,353 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6E0E0000: C:\\Windows\\SYSTEM32\\WINNSI (0xb000 bytes).\n2026-05-28 18:01:58,374 [root] DEBUG: 7912: api-rate-cap: NtQueryValueKey hook disabled due to rate\n2026-05-28 18:01:58,572 [root] DEBUG: 7912: DLL loaded at 0x00007FFC73480000: C:\\Windows\\system32\\dwmapi (0x2f000 bytes).\n2026-05-28 18:01:58,573 [root] DEBUG: 7912: DLL loaded at 0x0000029255550000: C:\\Windows\\system32\\d3d9 (0x1cd000 bytes).\n2026-05-28 18:01:58,600 [root] DEBUG: 7912: DLL loaded at 0x00007FFC731A0000: C:\\Windows\\SYSTEM32\\resourcepolicyclient (0x14000 bytes).\n2026-05-28 18:01:58,606 [root] DEBUG: 7912: DLL loaded at 0x00007FFC5EEF0000: C:\\Windows\\system32\\D3D12Core (0x1cd000 bytes).\n2026-05-28 18:01:58,609 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6E3B0000: C:\\Windows\\system32\\d3d10warp (0x6f6000 bytes).\n2026-05-28 18:01:58,614 [root] DEBUG: 7912: DLL loaded at 0x00007FFC5F430000: C:\\Windows\\system32\\dxilconv (0x139000 bytes).\n2026-05-28 18:01:58,616 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6A9E0000: C:\\Windows\\system32\\D3DSCache (0x2a000 bytes).\n2026-05-28 18:01:58,639 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6E3B0000: C:\\Windows\\system32\\d3d10warp (0x6f6000 bytes).\n2026-05-28 18:01:58,642 [root] DEBUG: 7912: DLL loaded at 0x00007FFC753D0000: C:\\Windows\\system32\\DEVOBJ (0x33000 bytes).\n2026-05-28 18:01:58,644 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6E0C0000: C:\\Windows\\SYSTEM32\\dhcpcsvc6 (0x17000 bytes).\n2026-05-28 18:01:58,648 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 336, handle 0x808: C:\\Windows\\System32\\smss.exe\n2026-05-28 18:01:58,649 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6E0A0000: C:\\Windows\\SYSTEM32\\dhcpcsvc (0x1d000 bytes).\n2026-05-28 18:01:58,651 [root] DEBUG: 7912: DLL loaded at 0x00007FFC74AB0000: C:\\Windows\\SYSTEM32\\DNSAPI (0xca000 bytes).\n2026-05-28 18:01:58,656 [root] DEBUG: 7912: DLL loaded at 0x00007FFC747D0000: C:\\Windows\\system32\\wkscli (0x19000 bytes).\n2026-05-28 18:01:58,668 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 500, handle 0xa44: C:\\Windows\\System32\\wininit.exe\n2026-05-28 18:01:58,673 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 592, handle 0xa30: C:\\Windows\\System32\\services.exe\n2026-05-28 18:01:58,678 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 640, handle 0x7d4: C:\\Windows\\System32\\lsass.exe\n2026-05-28 18:01:58,681 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 640 (handle 0xa3c): 0x00007FF657A90000.\n2026-05-28 18:01:58,682 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 748, handle 0xa3c: C:\\Windows\\System32\\fontdrvhost.exe\n2026-05-28 18:01:58,682 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 860, handle 0xa3c: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,684 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 860 (handle 0xa3c): 0x00007FF780360000.\n2026-05-28 18:01:58,684 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 984, handle 0xa3c: C:\\Windows\\System32\\dwm.exe\n2026-05-28 18:01:58,689 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 984 (handle 0xa30): 0x00007FF6D4CD0000.\n2026-05-28 18:01:58,689 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 492, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,691 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 492 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,694 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 560, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,696 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 560 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,696 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1072, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,698 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1072 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,699 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1172, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,700 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1172 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,701 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1224, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,703 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1224 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,704 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1316, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,706 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1316 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,706 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1468, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,709 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1468 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,709 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1604, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,711 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1604 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,712 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1688, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,713 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1688 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,714 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1732, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,716 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1732 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,716 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1852, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,718 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1852 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,719 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1900, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,720 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1900 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,721 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1396, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,724 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1396 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,725 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1644, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,726 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1644 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,727 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2184, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,729 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2184 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,729 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2308, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,731 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2308 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,732 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2504, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,733 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2504 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,734 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2628, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,736 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2628 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,737 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2644, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,741 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2644 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,742 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2800, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,743 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2800 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,744 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2932, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,746 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2932 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,746 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3672, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,748 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3672 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,749 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 736, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,750 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 736 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,751 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3068, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,753 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3068 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,755 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2672, handle 0xa30: C:\\Windows\\System32\\taskhostw.exe\n2026-05-28 18:01:58,757 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2672 (handle 0xa30): 0x00007FF77B4D0000.\n2026-05-28 18:01:58,758 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3456, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,760 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3456 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,760 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4148, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,762 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4148 (handle 0xa30): 0x00007FF780360000.\n2026-05-28 18:01:58,763 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4344, handle 0xa30: C:\\Windows\\System32\\ctfmon.exe\n2026-05-28 18:01:58,766 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4344 (handle 0xa3c): 0x00007FF7DC490000.\n2026-05-28 18:01:58,766 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4584, handle 0xa3c: C:\\Windows\\explorer.exe\n2026-05-28 18:01:58,769 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4584 (handle 0xa30): 0x00007FF65E010000.\n2026-05-28 18:01:58,772 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4836, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,774 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4836 (handle 0x7d4): 0x00007FF780360000.\n2026-05-28 18:01:58,775 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4128, handle 0x7d4: C:\\Windows\\System32\\dllhost.exe\n2026-05-28 18:01:58,779 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4128 (handle 0xa30): 0x00007FF699DF0000.\n2026-05-28 18:01:58,780 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5176, handle 0xa30: C:\\Windows\\servicing\\TrustedInstaller.exe\n2026-05-28 18:01:58,784 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5176 (handle 0xa50): 0x00007FF662190000.\n2026-05-28 18:01:58,785 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5320, handle 0xa50: C:\\Windows\\System32\\RuntimeBroker.exe\n2026-05-28 18:01:58,792 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5320 (handle 0xa50): 0x00007FF77B710000.\n2026-05-28 18:01:58,793 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5416, handle 0xa50: C:\\Windows\\System32\\MoUsoCoreWorker.exe\n2026-05-28 18:01:58,798 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5416 (handle 0xa38): 0x00007FF68F1D0000.\n2026-05-28 18:01:58,799 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5684, handle 0xa38: C:\\Windows\\System32\\SearchFilterHost.exe\n2026-05-28 18:01:58,802 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5684 (handle 0xa30): 0x00007FF6EC310000.\n2026-05-28 18:01:58,802 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3120, handle 0xa30: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,804 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3280, handle 0xa30: C:\\Windows\\System32\\smartscreen.exe\n2026-05-28 18:01:58,808 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3280 (handle 0x7d4): 0x00007FF7AC790000.\n2026-05-28 18:01:58,809 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3692, handle 0x7d4: C:\\Windows\\System32\\SecurityHealthService.exe\n2026-05-28 18:01:58,813 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6040, handle 0xa50: C:\\Windows\\System32\\conhost.exe\n2026-05-28 18:01:58,816 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6040 (handle 0xa90): 0x00007FF799880000.\n2026-05-28 18:01:58,816 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5920, handle 0xa90: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,819 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5920 (handle 0xa90): 0x00007FF780360000.\n2026-05-28 18:01:58,820 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3484, handle 0xa90: C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe\n2026-05-28 18:01:58,821 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3484 (handle 0xa90): 0x00007FF6B1860000.\n2026-05-28 18:01:58,822 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3344, handle 0xa90: C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe\n2026-05-28 18:01:58,823 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3344 (handle 0xa90): 0x00007FF6B1860000.\n2026-05-28 18:01:58,823 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6236, handle 0xa90: C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe\n2026-05-28 18:01:58,825 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6236 (handle 0xa90): 0x00007FF6B1860000.\n2026-05-28 18:01:58,826 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6772, handle 0xa90: C:\\Users\\admin\\AppData\\Local\\Discord\\app-1.0.9238\\Discord.exe\n2026-05-28 18:01:58,827 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6772 (handle 0xa90): 0x00007FF6B1860000.\n2026-05-28 18:01:58,828 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6580, handle 0xa90: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe\n2026-05-28 18:01:58,829 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6580 (handle 0xa90): 0x00007FF7D0050000.\n2026-05-28 18:01:58,829 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 7052, handle 0xa90: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe\n2026-05-28 18:01:58,830 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 7052 (handle 0xa90): 0x00007FF7D0050000.\n2026-05-28 18:01:58,831 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 6320, handle 0xa90: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe\n2026-05-28 18:01:58,832 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 6320 (handle 0xa90): 0x00007FF7D0050000.\n2026-05-28 18:01:58,833 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 7956, handle 0xa90: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,835 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 7956 (handle 0xa90): 0x00007FF780360000.\n2026-05-28 18:01:58,836 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4576, handle 0xa90: C:\\Program Files (x86)\\Steam\\bin\\cef\\cef.win64\\steamwebhelper.exe\n2026-05-28 18:01:58,837 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4576 (handle 0xa90): 0x00007FF7D0050000.\n2026-05-28 18:01:58,838 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1084, handle 0xa90: C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\\WinStore.App.exe\n2026-05-28 18:01:58,847 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6E250000: C:\\Windows\\SYSTEM32\\AppxDeploymentClient (0x102000 bytes).\n2026-05-28 18:01:58,860 [root] DEBUG: 7912: DLL loaded at 0x00007FFC6E250000: C:\\Windows\\SYSTEM32\\AppxDeploymentClient (0x102000 bytes).\n2026-05-28 18:01:58,871 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1084 (handle 0x7d4): 0x00007FF69C720000.\n2026-05-28 18:01:58,872 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 7444, handle 0x7d4: C:\\Windows\\System32\\RuntimeBroker.exe\n2026-05-28 18:01:58,877 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 7444 (handle 0x7d4): 0x00007FF77B710000.\n2026-05-28 18:01:58,881 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2904, handle 0xa98: C:\\Windows\\System32\\net.exe\n2026-05-28 18:01:58,884 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2904 (handle 0xa94): 0x00007FF7EC240000.\n2026-05-28 18:01:58,884 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1016, handle 0xa94: C:\\Windows\\System32\\net1.exe\n2026-05-28 18:01:58,888 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1016 (handle 0xa94): 0x00007FF6BAB80000.\n2026-05-28 18:01:58,889 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 8196, handle 0xa94: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:01:58,891 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 8196 (handle 0xa94): 0x00007FF780360000.\n2026-05-28 18:01:59,860 [root] DEBUG: 7912: DLL loaded at 0x00007FFC50D30000: C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\gdiplus (0x1a5000 bytes).\n2026-05-28 18:01:59,861 [root] DEBUG: 7912: DLL loaded at 0x00007FFC63C20000: C:\\Windows\\system32\\CHARTV (0x25000 bytes).\n2026-05-28 18:01:59,869 [root] DEBUG: package modules.packages.edge does not support configure, ignoring\n2026-05-28 18:01:59,870 [root] WARNING: configuration error for package modules.packages.edge: error importing data.packages.edge: No module named 'data.packages'\n2026-05-28 18:01:59,871 [lib.core.compound] INFO: C:\\Users\\admin\\AppData\\Local\\Temp already exists, skipping creation\n2026-05-28 18:01:59,874 [lib.api.process] INFO: Successfully executed process from path \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" with arguments \"\"https://sugarcraft.net/\"\" with pid 9188\n2026-05-28 18:01:59,875 [lib.api.process] INFO: Monitor config for process 9188: C:\\_a4sjgfa\\dll\\9188.ini\n2026-05-28 18:01:59,877 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:01:59,879 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:01:59,885 [root] DEBUG: Loader: Injecting process 9188 (thread 9192) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:59,886 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-05-28 18:01:59,886 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:01:59,889 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:02:00,368 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9188, handle 0xa9c: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:00,371 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9188 (handle 0xa84): 0x00007FF734750000.\n2026-05-28 18:02:01,899 [lib.api.process] INFO: Successfully resumed process with pid 9188\n2026-05-28 18:02:01,979 [root] DEBUG: 9188: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:02:01,980 [root] DEBUG: 9188: Interactive desktop enabled.\n2026-05-28 18:02:01,980 [root] DEBUG: 9188: Dropped file limit defaulting to 100.\n2026-05-28 18:02:01,989 [root] DEBUG: 9188: Edge-specific hook-set enabled.\n2026-05-28 18:02:01,991 [root] DEBUG: 9188: Disabling sleep skipping.\n2026-05-28 18:02:01,992 [root] DEBUG: 9188: YaraInit: Compiled rules loaded from existing file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:02:02,003 [root] DEBUG: 9188: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:02:02,003 [root] DEBUG: 9188: Monitor initialised: 64-bit capemon loaded in process 9188 at 0x00007FFC33AB0000, thread 9192, image base 0x00007FF734750000, stack from 0x000000C8193F4000-0x000000C819400000\n2026-05-28 18:02:02,004 [root] DEBUG: 9188: Commandline: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"https://sugarcraft.net/\"\n2026-05-28 18:02:02,015 [root] DEBUG: 9188: Hooked 2 out of 2 functions\n2026-05-28 18:02:02,051 [root] DEBUG: 9188: Syscall hook installed, syscall logging level 1\n2026-05-28 18:02:02,057 [root] DEBUG: 9188: RestoreHeaders: Restored original import table.\n2026-05-28 18:02:02,057 [root] INFO: Loaded monitor into process with pid 9188\n2026-05-28 18:02:02,059 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75FA0000: C:\\Windows\\System32\\bcryptprimitives (0x82000 bytes).\n2026-05-28 18:02:02,064 [root] DEBUG: 9188: DLL loaded at 0x00007FFC63BA0000: C:\\Windows\\SYSTEM32\\version (0xa000 bytes).\n2026-05-28 18:02:02,068 [root] DEBUG: 9188: DLL loaded at 0x00007FFC775B0000: C:\\Windows\\System32\\shcore (0xad000 bytes).\n2026-05-28 18:02:02,070 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75020000: C:\\Windows\\SYSTEM32\\Wldp (0x2d000 bytes).\n2026-05-28 18:02:02,070 [root] DEBUG: 9188: DLL loaded at 0x00007FFC73790000: C:\\Windows\\SYSTEM32\\windows.storage (0x79b000 bytes).\n2026-05-28 18:02:02,071 [root] DEBUG: 9188: DLL loaded at 0x00007FFC775B0000: C:\\Windows\\System32\\SHCORE (0xad000 bytes).\n2026-05-28 18:02:02,072 [root] DEBUG: 9188: DLL loaded at 0x00007FFC747F0000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2026-05-28 18:02:02,216 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5CA40000: C:\\Windows\\SYSTEM32\\WINMM (0x27000 bytes).\n2026-05-28 18:02:02,217 [root] DEBUG: 9188: DLL loaded at 0x00007FFC1E940000: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge (0x136be000 bytes).\n2026-05-28 18:02:02,219 [root] DEBUG: 9188: DLL loaded at 0x00007FFC620A0000: C:\\Windows\\SYSTEM32\\KBDUS (0x9000 bytes).\n2026-05-28 18:02:02,221 [root] DEBUG: 9188: DLL loaded at 0x00007FFC730A0000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-05-28 18:02:02,226 [root] DEBUG: 9188: DLL loaded at 0x00007FFC734B0000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-05-28 18:02:02,226 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 9204: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:02,227 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9204\n2026-05-28 18:02:02,228 [root] DEBUG: 9188: DLL loaded at 0x00007FFC765F0000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-05-28 18:02:02,228 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9204\n2026-05-28 18:02:02,229 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6AA20000: C:\\Windows\\System32\\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings (0x16000 bytes).\n2026-05-28 18:02:02,230 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74740000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x8a000 bytes).\n2026-05-28 18:02:02,231 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6FCE0000: C:\\Windows\\SYSTEM32\\policymanager (0xa1000 bytes).\n2026-05-28 18:02:02,235 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75560000: C:\\Windows\\SYSTEM32\\USERENV (0x2e000 bytes).\n2026-05-28 18:02:02,236 [root] DEBUG: 9188: DLL loaded at 0x00007FFC73F40000: C:\\Windows\\SYSTEM32\\gpapi (0x23000 bytes).\n2026-05-28 18:02:02,237 [root] DEBUG: 9188: DLL loaded at 0x00007FFC747D0000: C:\\Windows\\SYSTEM32\\wkscli (0x19000 bytes).\n2026-05-28 18:02:02,238 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74B80000: C:\\Windows\\SYSTEM32\\netutils (0xc000 bytes).\n2026-05-28 18:02:02,240 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74740000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x8a000 bytes).\n2026-05-28 18:02:02,241 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5FA20000: C:\\Windows\\SYSTEM32\\MDMRegistration (0x68000 bytes).\n2026-05-28 18:02:02,243 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75460000: C:\\Windows\\SYSTEM32\\powrprof (0x4b000 bytes).\n2026-05-28 18:02:02,243 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74F70000: C:\\Windows\\SYSTEM32\\CRYPTSP (0x18000 bytes).\n2026-05-28 18:02:02,244 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75090000: C:\\Windows\\SYSTEM32\\ncrypt (0x27000 bytes).\n2026-05-28 18:02:02,245 [root] DEBUG: 9188: DLL loaded at 0x00007FFC77F00000: C:\\Windows\\System32\\imagehlp (0x1d000 bytes).\n2026-05-28 18:02:02,245 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6DA10000: C:\\Windows\\SYSTEM32\\tbs (0x1b000 bytes).\n2026-05-28 18:02:02,246 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5B690000: C:\\Windows\\SYSTEM32\\DMCmnUtils (0x7c000 bytes).\n2026-05-28 18:02:02,246 [root] DEBUG: 9188: DLL loaded at 0x00007FFC63BE0000: C:\\Windows\\SYSTEM32\\omadmapi (0x3a000 bytes).\n2026-05-28 18:02:02,247 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75440000: C:\\Windows\\SYSTEM32\\UMPDC (0x12000 bytes).\n2026-05-28 18:02:02,247 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75050000: C:\\Windows\\SYSTEM32\\NTASN1 (0x3b000 bytes).\n2026-05-28 18:02:02,249 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6C4D0000: C:\\Windows\\SYSTEM32\\netapi32 (0x19000 bytes).\n2026-05-28 18:02:02,250 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74740000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x8a000 bytes).\n2026-05-28 18:02:02,250 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74F70000: C:\\Windows\\SYSTEM32\\cryptsp (0x18000 bytes).\n2026-05-28 18:02:02,251 [root] DEBUG: 9188: DLL loaded at 0x00007FFC72B70000: C:\\Windows\\SYSTEM32\\DSREG (0x141000 bytes).\n2026-05-28 18:02:02,252 [root] DEBUG: 9188: DLL loaded at 0x00007FFC755E0000: C:\\Windows\\SYSTEM32\\profapi (0x25000 bytes).\n2026-05-28 18:02:02,259 [root] DEBUG: 9188: DLL loaded at 0x00007FFC77400000: C:\\Windows\\System32\\MSCTF (0x114000 bytes).\n2026-05-28 18:02:02,261 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6A9C0000: C:\\Windows\\System32\\AssignedAccessRuntime (0x14000 bytes).\n2026-05-28 18:02:02,261 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75460000: C:\\Windows\\SYSTEM32\\powrprof (0x4b000 bytes).\n2026-05-28 18:02:02,262 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75440000: C:\\Windows\\SYSTEM32\\UMPDC (0x12000 bytes).\n2026-05-28 18:02:02,263 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6BCE0000: C:\\Windows\\System32\\SystemSettings.DataModel (0x74000 bytes).\n2026-05-28 18:02:02,264 [root] DEBUG: 9188: DLL loaded at 0x00007FFC69960000: C:\\Windows\\SYSTEM32\\DWrite (0x27f000 bytes).\n2026-05-28 18:02:02,267 [root] DEBUG: 9188: DLL loaded at 0x00007FFC61E00000: C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\\COMCTL32 (0x29a000 bytes).\n2026-05-28 18:02:02,268 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75430000: C:\\Windows\\SYSTEM32\\DPAPI (0xa000 bytes).\n2026-05-28 18:02:02,269 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6F400000: C:\\Windows\\System32\\OneCoreUAPCommonProxyStub (0x7d0000 bytes).\n2026-05-28 18:02:02,270 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74A70000: C:\\Windows\\SYSTEM32\\IPHLPAPI (0x3b000 bytes).\n2026-05-28 18:02:02,271 [root] DEBUG: 9188: DLL loaded at 0x00007FFC70B80000: C:\\Windows\\system32\\NLAapi (0x1d000 bytes).\n2026-05-28 18:02:02,272 [root] DEBUG: 9188: DLL loaded at 0x00007FFC771D0000: C:\\Windows\\System32\\NSI (0x8000 bytes).\n2026-05-28 18:02:02,274 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6E0C0000: C:\\Windows\\SYSTEM32\\dhcpcsvc6 (0x17000 bytes).\n2026-05-28 18:02:02,274 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75F50000: C:\\Windows\\System32\\CFGMGR32 (0x4e000 bytes).\n2026-05-28 18:02:02,275 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6BA50000: C:\\Windows\\System32\\StructuredQuery (0xa6000 bytes).\n2026-05-28 18:02:02,276 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6E0A0000: C:\\Windows\\SYSTEM32\\dhcpcsvc (0x1d000 bytes).\n2026-05-28 18:02:02,277 [root] DEBUG: 9188: DLL loaded at 0x00007FFC728F0000: C:\\Windows\\SYSTEM32\\PROPSYS (0xf6000 bytes).\n2026-05-28 18:02:02,278 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74AB0000: C:\\Windows\\SYSTEM32\\DNSAPI (0xca000 bytes).\n2026-05-28 18:02:02,280 [root] DEBUG: 9188: DLL loaded at 0x00007FFC665A0000: C:\\Windows\\System32\\Windows.StateRepositoryPS (0x146000 bytes).\n2026-05-28 18:02:02,282 [root] DEBUG: 9188: DLL loaded at 0x00007FFC729F0000: C:\\Windows\\System32\\CoreMessaging (0xf2000 bytes).\n2026-05-28 18:02:02,283 [root] DEBUG: 9188: DLL loaded at 0x00007FFC71EC0000: C:\\Windows\\SYSTEM32\\wintypes (0x155000 bytes).\n2026-05-28 18:02:02,284 [root] DEBUG: 9188: DLL loaded at 0x00007FFC72590000: C:\\Windows\\System32\\CoreUIComponents (0x35b000 bytes).\n2026-05-28 18:02:02,285 [root] DEBUG: 9188: DLL loaded at 0x00007FFC69D70000: C:\\Windows\\SYSTEM32\\textinputframework (0xf9000 bytes).\n2026-05-28 18:02:02,289 [root] DEBUG: 9188: DLL loaded at 0x00007FFC664D0000: C:\\Windows\\system32\\Windows.Storage.Search (0xc6000 bytes).\n2026-05-28 18:02:02,290 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6FF20000: C:\\Windows\\System32\\twinapi.appcore (0x203000 bytes).\n2026-05-28 18:02:02,292 [root] DEBUG: 9188: DLL loaded at 0x00007FFC60C70000: C:\\Windows\\system32\\twinapi (0xa9000 bytes).\n2026-05-28 18:02:02,294 [root] DEBUG: 9188: DLL loaded at 0x00007FFC65B50000: C:\\Windows\\system32\\mssprxy (0x28000 bytes).\n2026-05-28 18:02:02,295 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6ED50000: C:\\Windows\\SYSTEM32\\wevtapi (0x65000 bytes).\n2026-05-28 18:02:02,298 [root] DEBUG: 9188: DLL loaded at 0x00007FFC70130000: C:\\Windows\\System32\\WindowManagementAPI (0xa1000 bytes).\n2026-05-28 18:02:02,298 [root] DEBUG: 9188: DLL loaded at 0x00007FFC69E70000: C:\\Windows\\System32\\InputHost (0x152000 bytes).\n2026-05-28 18:02:02,299 [root] DEBUG: 9188: DLL loaded at 0x00007FFC69FD0000: C:\\Windows\\System32\\Windows.UI (0x141000 bytes).\n2026-05-28 18:02:02,300 [root] DEBUG: 9188: DLL loaded at 0x00007FFC650F0000: C:\\Windows\\SYSTEM32\\edputil (0x24000 bytes).\n2026-05-28 18:02:02,314 [root] DEBUG: 9188: DLL loaded at 0x00007FFC72B20000: C:\\Windows\\SYSTEM32\\WTSAPI32 (0x14000 bytes).\n2026-05-28 18:02:02,316 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75370000: C:\\Windows\\SYSTEM32\\WINSTA (0x5b000 bytes).\n2026-05-28 18:02:02,320 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6FD90000: C:\\Windows\\SYSTEM32\\ColorAdapterClient (0x11000 bytes).\n2026-05-28 18:02:02,320 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6FDB0000: C:\\Windows\\SYSTEM32\\mscms (0xae000 bytes).\n2026-05-28 18:02:02,323 [root] DEBUG: 9188: DLL loaded at 0x00007FFC707B0000: C:\\Windows\\SYSTEM32\\WINHTTP (0x10a000 bytes).\n2026-05-28 18:02:02,325 [root] INFO: Announced starting service \"b'MicrosoftEdgeElevationService'\"\n2026-05-28 18:02:02,325 [lib.api.process] INFO: Monitor config for process 592: C:\\_a4sjgfa\\dll\\592.ini\n2026-05-28 18:02:02,326 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:02:02,327 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:02:02,332 [root] DEBUG: Loader: Injecting process 592 with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:02,332 [root] DEBUG: 9188: DLL loaded at 0x00007FFC1E370000: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\oneauth (0x5c4000 bytes).\n2026-05-28 18:02:02,334 [root] DEBUG: Loader: Copied config file C:\\_a4sjgfa\\dll\\592.ini to system path C:\\592.ini\n2026-05-28 18:02:02,337 [root] DEBUG: Loader: Unable to open process, launched: PPLinject64.exe 592 C:\\_a4sjgfa\\dll\\tHnPbxs.dll\n2026-05-28 18:02:02,338 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:02,341 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:02:02,345 [root] DEBUG: 9188: DLL loaded at 0x00007FFC68DC0000: C:\\Windows\\SYSTEM32\\Secur32 (0xc000 bytes).\n2026-05-28 18:02:02,350 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6B370000: C:\\Windows\\System32\\iertutil (0x2bc000 bytes).\n2026-05-28 18:02:02,354 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 9660: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:02,355 [root] DEBUG: 9188: DLL loaded at 0x00007FFC65020000: C:\\Windows\\System32\\Windows.Web (0xc3000 bytes).\n2026-05-28 18:02:02,361 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9660\n2026-05-28 18:02:02,368 [root] DEBUG: 9188: DLL loaded at 0x00007FFC69BE0000: C:\\Windows\\System32\\Windows.UI.Immersive (0x139000 bytes).\n2026-05-28 18:02:02,370 [root] DEBUG: 9188: caller_dispatch: Added region at 0x00007FF734750000 to tracked regions list (kernel32::CreateProcessInternalW returns to 0x00007FF734847D66, thread 9472).\n2026-05-28 18:02:02,421 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9660\n2026-05-28 18:02:02,435 [root] DEBUG: 9188: ProcessImageBase: Main module image at 0x00007FF734750000 unmodified (entropy change 0.000000e+00)\n2026-05-28 18:02:02,437 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9204, handle 0xa88: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:02,437 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5E640000: C:\\Windows\\SYSTEM32\\LINKINFO (0xd000 bytes).\n2026-05-28 18:02:02,440 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 9744: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:02,472 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 9756: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:02,473 [root] DEBUG: 9188: DLL loaded at 0x00007FFC73F70000: C:\\Windows\\system32\\dxgi (0xf3000 bytes).\n2026-05-28 18:02:02,478 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9744\n2026-05-28 18:02:02,479 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9204 (handle 0xa88): 0x00007FF734750000.\n2026-05-28 18:02:02,480 [root] DEBUG: 9188: DLL loaded at 0x00007FFC71690000: C:\\Windows\\system32\\d3d11 (0x263000 bytes).\n2026-05-28 18:02:02,481 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9616, handle 0xa88: C:\\_a4sjgfa\\bin\\PPLinject64.exe\n2026-05-28 18:02:02,481 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9744\n2026-05-28 18:02:02,482 [root] DEBUG: 9188: DLL loaded at 0x00007FFC72020000: C:\\Windows\\system32\\dcomp (0x1e3000 bytes).\n2026-05-28 18:02:02,483 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9756\n2026-05-28 18:02:02,484 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9756\n2026-05-28 18:02:02,490 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5F830000: C:\\Windows\\system32\\dataexchange (0x3e000 bytes).\n2026-05-28 18:02:02,602 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9616 (handle 0xaa4): 0x00007FF668FE0000.\n2026-05-28 18:02:02,612 [root] DEBUG: 9188: DLL loaded at 0x00007FFC63BF0000: C:\\Windows\\System32\\Windows.System.Profile.RetailInfo (0x28000 bytes).\n2026-05-28 18:02:02,621 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9632, handle 0xaa4: C:\\Windows\\System32\\conhost.exe\n2026-05-28 18:02:02,624 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 10004: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:02,624 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 9972: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:02,625 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 10004\n2026-05-28 18:02:02,626 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9972\n2026-05-28 18:02:02,627 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 10004\n2026-05-28 18:02:02,627 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9632 (handle 0xaa4): 0x00007FF799880000.\n2026-05-28 18:02:02,628 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 9972\n2026-05-28 18:02:02,629 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9660, handle 0xaa4: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:02,642 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9660 (handle 0xaa4): 0x00007FF734750000.\n2026-05-28 18:02:02,649 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5F9A0000: C:\\Windows\\SYSTEM32\\OLEACC (0x66000 bytes).\n2026-05-28 18:02:02,672 [root] DEBUG: 9188: DLL loaded at 0x00007FFC67700000: C:\\Windows\\system32\\directmanipulation (0x9d000 bytes).\n2026-05-28 18:02:02,752 [root] DEBUG: 9188: DLL loaded at 0x00007FFC73480000: C:\\Windows\\SYSTEM32\\dwmapi (0x2f000 bytes).\n2026-05-28 18:02:02,824 [root] DEBUG: 9188: DLL loaded at 0x00007FFC751B0000: C:\\Windows\\SYSTEM32\\MSASN1 (0x12000 bytes).\n2026-05-28 18:02:02,853 [root] DEBUG: 9188: DLL loaded at 0x00007FFC1A480000: C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Well Known Domains\\1.2.0.0\\well_known_domains (0x9e000 bytes).\n2026-05-28 18:02:02,870 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74F70000: C:\\Windows\\SYSTEM32\\CRYPTSP (0x18000 bytes).\n2026-05-28 18:02:02,873 [root] DEBUG: 9188: DLL loaded at 0x00007FFC746B0000: C:\\Windows\\system32\\rsaenh (0x34000 bytes).\n2026-05-28 18:02:02,883 [root] DEBUG: 9188: DLL loaded at 0x00007FFC63280000: C:\\Windows\\System32\\Windows.Security.Authentication.Web.Core (0x11d000 bytes).\n2026-05-28 18:02:02,887 [root] DEBUG: 9188: DLL loaded at 0x00007FFC66790000: C:\\Windows\\System32\\OneCoreCommonProxyStub (0x7f000 bytes).\n2026-05-28 18:02:02,889 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5E650000: C:\\Windows\\System32\\vaultcli (0x51000 bytes).\n2026-05-28 18:02:02,914 [root] DEBUG: 9188: DLL loaded at 0x00007FFC1A3F0000: C:\\Windows\\System32\\MicrosoftAccountWAMExtension (0x8c000 bytes).\n2026-05-28 18:02:03,376 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9744, handle 0xaa8: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:03,379 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9744 (handle 0xaa8): 0x00007FF734750000.\n2026-05-28 18:02:03,380 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9756, handle 0xaa8: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:03,384 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9756 (handle 0xaa8): 0x00007FF734750000.\n2026-05-28 18:02:03,386 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9972, handle 0xaa8: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:03,388 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9972 (handle 0xab0): 0x00007FF734750000.\n2026-05-28 18:02:03,388 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 10004, handle 0xab0: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:03,390 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 10004 (handle 0xab0): 0x00007FF734750000.\n2026-05-28 18:02:04,232 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74740000: C:\\Windows\\SYSTEM32\\msvcp110_win (0x8a000 bytes).\n2026-05-28 18:02:04,234 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6FCE0000: C:\\Windows\\SYSTEM32\\policymanager (0xa1000 bytes).\n2026-05-28 18:02:05,391 [root] DEBUG: 9188: DLL loaded at 0x00007FFC754B0000: C:\\Windows\\SYSTEM32\\sxs (0xa2000 bytes).\n2026-05-28 18:02:05,402 [root] DEBUG: 9188: DLL loaded at 0x00007FFC70650000: C:\\Windows\\SYSTEM32\\usermgrcli (0x16000 bytes).\n2026-05-28 18:02:05,403 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5D4D0000: C:\\Windows\\System32\\Windows.Internal.UI.Shell.WindowTabManager (0x6d000 bytes).\n2026-05-28 18:02:06,624 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5CAE0000: C:\\Windows\\System32\\ShellCommonCommonProxyStub (0xe4000 bytes).\n2026-05-28 18:02:09,177 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 10420: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:09,178 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 10420\n2026-05-28 18:02:09,180 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 10420\n2026-05-28 18:02:09,389 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 10420, handle 0xa84: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:09,400 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 10420 (handle 0xa84): 0x00007FF734750000.\n2026-05-28 18:02:10,390 [root] DEBUG: 9188: DLL loaded at 0x00007FFC77700000: C:\\Windows\\System32\\SETUPAPI (0x46e000 bytes).\n2026-05-28 18:02:10,392 [root] DEBUG: 9188: DLL loaded at 0x00007FFC70770000: C:\\Windows\\System32\\netprofm (0x3f000 bytes).\n2026-05-28 18:02:10,393 [root] DEBUG: 9188: DLL loaded at 0x00007FFC753D0000: C:\\Windows\\SYSTEM32\\DEVOBJ (0x33000 bytes).\n2026-05-28 18:02:10,394 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75EE0000: C:\\Windows\\System32\\WINTRUST (0x67000 bytes).\n2026-05-28 18:02:10,395 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6CEE0000: C:\\Windows\\System32\\npmproxy (0x10000 bytes).\n2026-05-28 18:02:10,450 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 10532: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:10,452 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 10532\n2026-05-28 18:02:10,454 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 10532\n2026-05-28 18:02:10,472 [root] DEBUG: 9188: DLL loaded at 0x00007FFC1A000000: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\telclient (0x3ed000 bytes).\n2026-05-28 18:02:10,533 [root] DEBUG: 9188: DLL loaded at 0x00007FFC199A0000: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\oneds (0x33f000 bytes).\n2026-05-28 18:02:10,558 [root] DEBUG: 9188: DLL loaded at 0x00007FFC1CB70000: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\ffmpeg (0x467000 bytes).\n2026-05-28 18:02:10,561 [root] DEBUG: 9188: DLL loaded at 0x00007FFC742D0000: C:\\Windows\\System32\\FirewallAPI (0x96000 bytes).\n2026-05-28 18:02:10,563 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74290000: C:\\Windows\\System32\\fwbase (0x36000 bytes).\n2026-05-28 18:02:10,588 [root] DEBUG: 9188: DLL loaded at 0x00007FFC67500000: C:\\Windows\\system32\\TenantRestrictionsPlugin (0x1b000 bytes).\n2026-05-28 18:02:10,592 [root] DEBUG: 9188: DLL loaded at 0x00007FFC5FA10000: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\microsoft_shell_integration (0x78000 bytes).\n2026-05-28 18:02:10,614 [root] DEBUG: 9188: DLL loaded at 0x00007FFC73380000: C:\\Windows\\System32\\RMCLIENT (0x2a000 bytes).\n2026-05-28 18:02:10,616 [root] DEBUG: 9188: DLL loaded at 0x00007FFC711F0000: C:\\Windows\\System32\\XmlLite (0x36000 bytes).\n2026-05-28 18:02:10,617 [root] DEBUG: 9188: DLL loaded at 0x00007FFC60E20000: C:\\Windows\\System32\\wpnapps (0x15b000 bytes).\n2026-05-28 18:02:10,689 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 10636: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe, ImageBase: 0x00007FF66CA90000\n2026-05-28 18:02:10,691 [root] INFO: Announced 64-bit process name: identity_helper.exe pid: 10636\n2026-05-28 18:02:10,691 [lib.api.process] INFO: Monitor config for process 10636: C:\\_a4sjgfa\\dll\\10636.ini\n2026-05-28 18:02:10,692 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:02:11,512 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 10532, handle 0xa84: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:11,531 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 10532 (handle 0xa84): 0x00007FF734750000.\n2026-05-28 18:02:11,534 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 10636, handle 0xa84: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\n2026-05-28 18:02:11,777 [lib.api.process] INFO: Potential dll side-loading detected in local directory: onnxruntime.dll\n2026-05-28 18:02:11,778 [lib.api.process] INFO: Potential dll side-loading detected in local directory: d3dcompiler_47.dll\n2026-05-28 18:02:11,785 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:02:11,791 [root] DEBUG: Loader: Injecting process 10636 (thread 10640) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:11,792 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-05-28 18:02:11,792 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:11,794 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:02:11,811 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6DB50000: C:\\Windows\\SYSTEM32\\capauthz (0x51000 bytes).\n2026-05-28 18:02:11,814 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6A6A0000: C:\\Windows\\SYSTEM32\\windows.staterepositorycore (0x11000 bytes).\n2026-05-28 18:02:11,816 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 10720: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe, ImageBase: 0x00007FF66CA90000\n2026-05-28 18:02:11,817 [root] INFO: Announced 64-bit process name: identity_helper.exe pid: 10720\n2026-05-28 18:02:11,818 [lib.api.process] INFO: Monitor config for process 10720: C:\\_a4sjgfa\\dll\\10720.ini\n2026-05-28 18:02:11,819 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:02:11,926 [lib.api.process] INFO: Potential dll side-loading detected in local directory: onnxruntime.dll\n2026-05-28 18:02:11,927 [lib.api.process] INFO: Potential dll side-loading detected in local directory: d3dcompiler_47.dll\n2026-05-28 18:02:11,929 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:02:11,934 [root] DEBUG: Loader: Injecting process 10720 (thread 10724) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:11,935 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-05-28 18:02:11,937 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:11,939 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:02:11,942 [root] INFO: Announced 64-bit process name: identity_helper.exe pid: 10720\n2026-05-28 18:02:11,942 [lib.api.process] INFO: Monitor config for process 10720: C:\\_a4sjgfa\\dll\\10720.ini\n2026-05-28 18:02:11,942 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:02:12,052 [lib.api.process] INFO: Potential dll side-loading detected in local directory: onnxruntime.dll\n2026-05-28 18:02:12,058 [lib.api.process] INFO: Potential dll side-loading detected in local directory: d3dcompiler_47.dll\n2026-05-28 18:02:12,063 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:02:12,069 [root] DEBUG: Loader: Injecting process 10720 (thread 10724) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:12,070 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2026-05-28 18:02:12,085 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:02:12,088 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:02:12,112 [root] DEBUG: 10720: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:02:12,113 [root] DEBUG: 10720: Interactive desktop enabled.\n2026-05-28 18:02:12,114 [root] DEBUG: 10720: Dropped file limit defaulting to 100.\n2026-05-28 18:02:12,120 [root] DEBUG: 10720: Disabling sleep skipping.\n2026-05-28 18:02:12,122 [root] DEBUG: 10720: YaraInit: Compiled rules loaded from existing file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:02:12,139 [root] DEBUG: 10720: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:02:12,140 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,177 [root] DEBUG: 10720: Monitor initialised: 64-bit capemon loaded in process 10720 at 0x00007FFC33AB0000, thread 10724, image base 0x00007FF66CA90000, stack from 0x000000B8F7924000-0x000000B8F7930000\n2026-05-28 18:02:12,179 [root] DEBUG: 10720: Commandline: \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=windows_package_identity --skip-read-main-dll --metrics-shmem-handle=5988,i,16463646965434194640,9756354988950792942,524288 --field-trial-handle=2464,i,11618049249894349634,12934656804764563957,262144 --variations-seed-version --pseudonymization-salt-handle=2472,i,15884246703223372676,91259951654935\n2026-05-28 18:02:12,179 [root] DEBUG: 10720: add_all_dlls_to_dll_ranges: skipping C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf.dll\n2026-05-28 18:02:12,190 [root] DEBUG: 10720: hook_api: LdrpCallInitRoutine export address 0x00007FFC77FE99BC obtained via GetFunctionAddress\n2026-05-28 18:02:12,217 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-05-28 18:02:12,218 [root] DEBUG: 10720: set_hooks: Unable to hook LockResource\n2026-05-28 18:02:12,224 [root] DEBUG: 10720: Hooked 627 out of 628 functions\n2026-05-28 18:02:12,252 [root] DEBUG: 10720: Syscall hook installed, syscall logging level 1\n2026-05-28 18:02:12,257 [root] DEBUG: 10720: RestoreHeaders: Restored original import table.\n2026-05-28 18:02:12,258 [root] INFO: Loaded monitor into process with pid 10720\n2026-05-28 18:02:12,261 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FFC32000000, size 0x4b9994\n2026-05-28 18:02:12,332 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FFC32000000, size 0x4b9994\n2026-05-28 18:02:12,368 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FFC32000000, size 0x4b9994\n2026-05-28 18:02:12,426 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 10720, handle 0xa84: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\n2026-05-28 18:02:12,433 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FFC32000000, size 0x4b9994\n2026-05-28 18:02:12,467 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 10720 (handle 0xab0): 0x00007FF66CA90000.\n2026-05-28 18:02:12,470 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FFC32000000, size 0x4b9994\n2026-05-28 18:02:12,521 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FFC32000000, size 0x4b9994\n2026-05-28 18:02:12,570 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FFC32000000, size 0x4b9994\n2026-05-28 18:02:12,619 [root] DEBUG: 10720: caller_dispatch: Added region at 0x00007FFC32000000 to tracked regions list (ntdll::NtProtectVirtualMemory returns to 0x00007FFC321FF156, thread 10724).\n2026-05-28 18:02:12,620 [root] DEBUG: 10720: caller_dispatch: Scanning calling region at 0x00007FFC32000000...\n2026-05-28 18:02:12,625 [root] DEBUG: 10720: ProcessTrackedRegion: Region at 0x00007FFC32000000 mapped as \\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge_elf.dll appears unmodified, skipping\n2026-05-28 18:02:12,629 [root] DEBUG: 10720: DLL loaded at 0x00007FFC75FA0000: C:\\Windows\\System32\\bcryptprimitives (0x82000 bytes).\n2026-05-28 18:02:12,671 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,692 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,711 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,745 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,769 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,787 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,822 [root] DEBUG: 10720: caller_dispatch: Added region at 0x00007FF66CA90000 to tracked regions list (ntdll::NtProtectVirtualMemory returns to 0x00007FF66CB84096, thread 10724).\n2026-05-28 18:02:12,823 [root] DEBUG: 10720: YaraScan: Scanning 0x00007FF66CA90000, size 0x28b4d8\n2026-05-28 18:02:12,845 [root] DEBUG: 10720: ProcessImageBase: Main module image at 0x00007FF66CA90000 unmodified (entropy change 0.000000e+00)\n2026-05-28 18:02:12,851 [root] DEBUG: 10720: DLL loaded at 0x00007FFC775B0000: C:\\Windows\\System32\\shcore (0xad000 bytes).\n2026-05-28 18:02:12,876 [root] DEBUG: 10720: DLL loaded at 0x00007FFC1E940000: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\msedge (0x136be000 bytes).\n2026-05-28 18:02:12,915 [root] DEBUG: 10720: DLL loaded at 0x00007FFC730A0000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-05-28 18:02:12,938 [root] DEBUG: 10720: DLL loaded at 0x00007FFC734B0000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-05-28 18:02:12,942 [root] DEBUG: 10720: DLL loaded at 0x00007FFC77400000: C:\\Windows\\System32\\MSCTF (0x114000 bytes).\n2026-05-28 18:02:13,248 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6D710000: C:\\Windows\\system32\\wlanapi (0x74000 bytes).\n2026-05-28 18:02:13,251 [root] DEBUG: 9188: DLL loaded at 0x00007FFC63700000: C:\\Windows\\System32\\Windows.ApplicationModel (0xe9000 bytes).\n2026-05-28 18:02:13,252 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6E250000: C:\\Windows\\System32\\AppXDeploymentClient (0x102000 bytes).\n2026-05-28 18:02:13,600 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6C4D0000: C:\\Windows\\SYSTEM32\\NETAPI32 (0x19000 bytes).\n2026-05-28 18:02:13,602 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75090000: C:\\Windows\\SYSTEM32\\ncrypt (0x27000 bytes).\n2026-05-28 18:02:13,604 [root] DEBUG: 9188: DLL loaded at 0x00007FFC75050000: C:\\Windows\\SYSTEM32\\NTASN1 (0x3b000 bytes).\n2026-05-28 18:02:13,605 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6DA30000: C:\\Windows\\system32\\PCPKsp (0x118000 bytes).\n2026-05-28 18:02:13,607 [root] DEBUG: 9188: DLL loaded at 0x00007FFC77F00000: C:\\Windows\\System32\\imagehlp (0x1d000 bytes).\n2026-05-28 18:02:13,608 [root] DEBUG: 9188: DLL loaded at 0x00007FFC6DA10000: C:\\Windows\\SYSTEM32\\tbs (0x1b000 bytes).\n2026-05-28 18:02:13,609 [root] DEBUG: 9188: DLL loaded at 0x00007FFC61590000: C:\\Windows\\system32\\ncryptprov (0x5a000 bytes).\n2026-05-28 18:02:13,796 [root] DEBUG: 9188: DLL loaded at 0x00007FFC74D80000: C:\\Windows\\system32\\mswsock (0x6a000 bytes).\n2026-05-28 18:02:13,850 [root] DEBUG: 10720: DLL loaded at 0x00007FFC765F0000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-05-28 18:02:13,855 [root] DEBUG: 10720: DLL loaded at 0x00007FFC775B0000: C:\\Windows\\System32\\shcore (0xad000 bytes).\n2026-05-28 18:02:13,856 [root] DEBUG: 10720: DLL loaded at 0x00007FFC71EC0000: C:\\Windows\\SYSTEM32\\wintypes (0x155000 bytes).\n2026-05-28 18:02:13,857 [root] DEBUG: 10720: DLL loaded at 0x00007FFC73380000: C:\\Windows\\System32\\RMCLIENT (0x2a000 bytes).\n2026-05-28 18:02:13,875 [root] DEBUG: 10720: DLL loaded at 0x00007FFC711F0000: C:\\Windows\\System32\\XmlLite (0x36000 bytes).\n2026-05-28 18:02:13,876 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6FF20000: C:\\Windows\\System32\\twinapi.appcore (0x203000 bytes).\n2026-05-28 18:02:13,877 [root] DEBUG: 10720: DLL loaded at 0x00007FFC60E20000: C:\\Windows\\System32\\wpnapps (0x15b000 bytes).\n2026-05-28 18:02:13,920 [root] DEBUG: 10720: DLL loaded at 0x00007FFC70650000: C:\\Windows\\SYSTEM32\\usermgrcli (0x16000 bytes).\n2026-05-28 18:02:13,928 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6F400000: C:\\Windows\\System32\\OneCoreUAPCommonProxyStub (0x7d0000 bytes).\n2026-05-28 18:02:13,971 [root] DEBUG: 10720: DLL loaded at 0x00007FFC728F0000: C:\\Windows\\System32\\PROPSYS (0xf6000 bytes).\n2026-05-28 18:02:13,973 [root] DEBUG: 10720: DLL loaded at 0x00007FFC729F0000: C:\\Windows\\System32\\CoreMessaging (0xf2000 bytes).\n2026-05-28 18:02:13,974 [root] DEBUG: 10720: DLL loaded at 0x00007FFC63990000: C:\\Windows\\System32\\execmodelclient (0x63000 bytes).\n2026-05-28 18:02:13,993 [root] DEBUG: 10720: DLL loaded at 0x00007FFC66790000: C:\\Windows\\System32\\OneCoreCommonProxyStub (0x7f000 bytes).\n2026-05-28 18:02:14,000 [root] DEBUG: 10720: DLL loaded at 0x00007FFC614E0000: C:\\Windows\\system32\\execmodelproxy (0x18000 bytes).\n2026-05-28 18:02:14,006 [root] DEBUG: 10720: DLL loaded at 0x00007FFC74740000: C:\\Windows\\System32\\msvcp110_win (0x8a000 bytes).\n2026-05-28 18:02:14,007 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6FCE0000: C:\\Windows\\SYSTEM32\\policymanager (0xa1000 bytes).\n2026-05-28 18:02:14,027 [root] DEBUG: 10720: DLL loaded at 0x00007FFC665A0000: C:\\Windows\\System32\\Windows.StateRepositoryPS (0x146000 bytes).\n2026-05-28 18:02:14,035 [root] DEBUG: 10720: DLL loaded at 0x00007FFC75EE0000: C:\\Windows\\System32\\WINTRUST (0x67000 bytes).\n2026-05-28 18:02:14,036 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6DB50000: C:\\Windows\\SYSTEM32\\capauthz (0x51000 bytes).\n2026-05-28 18:02:14,038 [root] DEBUG: 10720: DLL loaded at 0x00007FFC751B0000: C:\\Windows\\System32\\MSASN1 (0x12000 bytes).\n2026-05-28 18:02:14,053 [root] DEBUG: 10720: DLL loaded at 0x00007FFC5B720000: C:\\Windows\\System32\\biwinrt (0x53000 bytes).\n2026-05-28 18:02:14,088 [root] DEBUG: 10720: DLL loaded at 0x00007FFC5B910000: C:\\Windows\\System32\\Windows.Storage.ApplicationData (0x66000 bytes).\n2026-05-28 18:02:14,120 [root] DEBUG: 10720: DLL loaded at 0x00007FFC75020000: C:\\Windows\\System32\\Wldp (0x2d000 bytes).\n2026-05-28 18:02:14,122 [root] DEBUG: 10720: DLL loaded at 0x00007FFC73790000: C:\\Windows\\SYSTEM32\\windows.storage (0x79b000 bytes).\n2026-05-28 18:02:14,141 [root] DEBUG: 10720: DLL loaded at 0x00007FFC65B50000: C:\\Windows\\system32\\mssprxy (0x28000 bytes).\n2026-05-28 18:02:14,219 [root] DEBUG: 10720: DLL loaded at 0x00007FFC75F50000: C:\\Windows\\System32\\CFGMGR32 (0x4e000 bytes).\n2026-05-28 18:02:14,245 [root] DEBUG: 10720: DLL loaded at 0x00007FFC63700000: C:\\Windows\\System32\\Windows.ApplicationModel (0xe9000 bytes).\n2026-05-28 18:02:14,254 [root] DEBUG: 10720: DLL loaded at 0x00007FFC51A40000: C:\\Windows\\System32\\CryptoWinRT (0x61000 bytes).\n2026-05-28 18:02:14,279 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6AB30000: C:\\Windows\\System32\\StateRepository.Core (0xb1000 bytes).\n2026-05-28 18:02:14,281 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6AC50000: C:\\Windows\\System32\\Windows.StateRepository (0x58e000 bytes).\n2026-05-28 18:02:14,282 [root] DEBUG: 10720: DLL loaded at 0x00007FFC61260000: C:\\Windows\\System32\\TileDataRepository (0x99000 bytes).\n2026-05-28 18:02:14,295 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6E1F0000: C:\\Windows\\System32\\usermgrproxy (0x54000 bytes).\n2026-05-28 18:02:14,311 [root] DEBUG: 10720: DLL loaded at 0x00007FFC73F70000: C:\\Windows\\System32\\dxgi (0xf3000 bytes).\n2026-05-28 18:02:14,312 [root] DEBUG: 10720: DLL loaded at 0x00007FFC71690000: C:\\Windows\\System32\\d3d11 (0x263000 bytes).\n2026-05-28 18:02:14,819 [root] DEBUG: 10720: DLL loaded at 0x00007FFC67810000: C:\\Windows\\System32\\WININET (0x4d6000 bytes).\n2026-05-28 18:02:14,821 [root] DEBUG: 10720: DLL loaded at 0x00007FFC5B5A0000: C:\\Windows\\System32\\windows.internal.shell.broker (0xdd000 bytes).\n2026-05-28 18:02:14,850 [root] DEBUG: 10720: DLL loaded at 0x00007FFC5CBD0000: C:\\Windows\\System32\\PCShellCommonProxyStub (0x13000 bytes).\n2026-05-28 18:02:14,876 [root] DEBUG: 10720: DLL loaded at 0x00007FFC75560000: C:\\Windows\\System32\\USERENV (0x2e000 bytes).\n2026-05-28 18:02:14,878 [root] DEBUG: 10720: DLL loaded at 0x00007FFC6A640000: C:\\Windows\\System32\\Bcp47Langs (0x5b000 bytes).\n2026-05-28 18:02:14,879 [root] DEBUG: 10720: DLL loaded at 0x00007FFC5FB10000: C:\\Windows\\System32\\StartTileData (0x58a000 bytes).\n2026-05-28 18:02:26,741 [root] INFO: Process with pid 10720 has terminated\n2026-05-28 18:02:26,953 [root] INFO: Process lock is locked\n2026-05-28 18:02:27,619 [root] DEBUG: 10720: NtTerminateProcess hook: Attempting to dump process 10720\n2026-05-28 18:02:28,502 [root] DEBUG: 10720: DoProcessDump: Skipping process dump as code is identical on disk.\n2026-05-28 18:02:33,115 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 5484: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:34,211 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 5484, handle 0xab0: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:35,151 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 5484\n2026-05-28 18:02:35,355 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 5484\n2026-05-28 18:02:35,634 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 5484 (handle 0xab0): 0x00007FF734750000.\n2026-05-28 18:02:38,111 [root] DEBUG: 9188: DLL loaded at 0x00007FFC708F0000: C:\\Windows\\System32\\Windows.System.UserProfile.DiagnosticsSettings (0x15000 bytes).\n2026-05-28 18:02:39,462 [root] DEBUG: 9188: DLL loaded at 0x00007FFC708D0000: C:\\Windows\\System32\\Windows.System.Diagnostics.Telemetry.PlatformTelemetryClient (0x12000 bytes).\n2026-05-28 18:02:39,775 [root] DEBUG: 9188: CreateProcessHandler: Injection info set for new process 3656: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe, ImageBase: 0x00007FF734750000\n2026-05-28 18:02:39,777 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 3656\n2026-05-28 18:02:39,778 [root] DEBUG: 9188: ProcessMessage: Skipping monitoring process 3656\n2026-05-28 18:02:40,076 [root] INFO: Announced starting service \"b'MicrosoftEdgeElevationService'\"\n2026-05-28 18:02:40,465 [root] INFO: Process with pid 9188 appears to have terminated\n2026-05-28 18:02:40,502 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3656, handle 0xac8: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:40,504 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 3656 (handle 0xac8): 0x00007FF734750000.\n2026-05-28 18:02:40,505 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2196, handle 0xac8: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:40,506 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2196 (handle 0xac8): 0x00007FF734750000.\n2026-05-28 18:02:40,507 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 764, handle 0xac8: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:40,509 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 764 (handle 0xac8): 0x00007FF734750000.\n2026-05-28 18:02:40,510 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 1180, handle 0xac8: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:40,514 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 1180 (handle 0xac0): 0x00007FF734750000.\n2026-05-28 18:02:40,516 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 2660, handle 0xac0: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:40,517 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 2660 (handle 0xac0): 0x00007FF734750000.\n2026-05-28 18:02:40,518 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 11124, handle 0xac0: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\148.0.3967.83\\identity_helper.exe\n2026-05-28 18:02:40,520 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 11124 (handle 0xac0): 0x00007FF66CA90000.\n2026-05-28 18:02:45,499 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9856, handle 0xac0: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:45,530 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9856 (handle 0xac0): 0x00007FF734750000.\n2026-05-28 18:02:45,547 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 10572, handle 0xac0: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n2026-05-28 18:02:45,566 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 10572 (handle 0xac0): 0x00007FF734750000.\n2026-05-28 18:02:57,530 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 3640, handle 0x320: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:03:00,018 [root] DEBUG: 740: CreateProcessHandler: Injection info set for new process 9716: C:\\Windows\\system32\\DllHost.exe, ImageBase: 0x00007FF699DF0000\n2026-05-28 18:03:00,062 [root] DEBUG: 740: CreateProcessHandler: Injection info set for new process 9816: C:\\Windows\\system32\\wbem\\wmiprvse.exe, ImageBase: 0x00007FF6209B0000\n2026-05-28 18:03:00,095 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 9716\n2026-05-28 18:03:00,112 [lib.api.process] INFO: Monitor config for process 9716: C:\\_a4sjgfa\\dll\\9716.ini\n2026-05-28 18:03:00,111 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 9816\n2026-05-28 18:03:00,125 [lib.api.process] INFO: Monitor config for process 9816: C:\\_a4sjgfa\\dll\\9816.ini\n2026-05-28 18:03:00,134 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:03:00,152 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:03:00,169 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:03:00,260 [root] DEBUG: Loader: Injecting process 9716 (thread 9720) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:00,337 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-05-28 18:03:00,394 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:03:00,397 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:00,447 [root] DEBUG: Loader: Injecting process 9816 (thread 9648) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:00,469 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:03:00,480 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-05-28 18:03:00,517 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 9716\n2026-05-28 18:03:00,527 [lib.api.process] INFO: Monitor config for process 9716: C:\\_a4sjgfa\\dll\\9716.ini\n2026-05-28 18:03:00,527 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:00,527 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:03:00,540 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9192, handle 0x8dc: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:03:00,543 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:03:00,565 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9192 (handle 0x8dc): 0x00007FF780360000.\n2026-05-28 18:03:00,569 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:03:00,592 [root] DEBUG: Loader: Injecting process 9716 (thread 9720) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:00,600 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9492, handle 0x8dc: C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\n2026-05-28 18:03:00,619 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-05-28 18:03:00,620 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 9816\n2026-05-28 18:03:00,623 [lib.api.process] INFO: Monitor config for process 9816: C:\\_a4sjgfa\\dll\\9816.ini\n2026-05-28 18:03:00,624 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:03:00,627 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:00,623 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9492 (handle 0xad0): 0x0000000000030000.\n2026-05-28 18:03:00,733 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9716, handle 0xad0: C:\\Windows\\System32\\dllhost.exe\n2026-05-28 18:03:00,733 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:03:00,777 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 9816, handle 0xad0: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\n2026-05-28 18:03:00,781 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:03:00,871 [root] DEBUG: 9716: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:03:00,871 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9816 (handle 0xa74): 0x00007FF6209B0000.\n2026-05-28 18:03:00,928 [root] DEBUG: 9716: Interactive desktop enabled.\n2026-05-28 18:03:00,966 [root] DEBUG: Loader: Injecting process 9816 (thread 9648) with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:00,979 [root] DEBUG: 9716: Dropped file limit defaulting to 100.\n2026-05-28 18:03:00,990 [root] DEBUG: InjectDllViaIAT: This image has already been patched.\n2026-05-28 18:03:01,037 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:01,040 [root] DEBUG: 9716: Disabling sleep skipping.\n2026-05-28 18:03:01,082 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:03:01,104 [root] DEBUG: 9716: YaraInit: Compiled rules loaded from existing file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:03:01,104 [root] DEBUG: 9816: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:03:01,125 [root] DEBUG: 9716: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:03:01,127 [root] DEBUG: 9816: Interactive desktop enabled.\n2026-05-28 18:03:01,158 [root] DEBUG: 9716: YaraScan: Scanning 0x00007FF699DF0000, size 0x8026\n2026-05-28 18:03:01,184 [root] DEBUG: 9816: Dropped file limit defaulting to 100.\n2026-05-28 18:03:01,189 [root] DEBUG: 9716: Monitor initialised: 64-bit capemon loaded in process 9716 at 0x00007FFC33AB0000, thread 9720, image base 0x00007FF699DF0000, stack from 0x0000009B1AFD4000-0x0000009B1AFE0000\n2026-05-28 18:03:01,201 [root] DEBUG: 9816: Disabling sleep skipping.\n2026-05-28 18:03:01,201 [root] DEBUG: 9716: Commandline: C:\\Windows\\system32\\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}\n2026-05-28 18:03:01,239 [root] DEBUG: 9816: Services hook set enabled\n2026-05-28 18:03:01,244 [root] DEBUG: 9716: hook_api: LdrpCallInitRoutine export address 0x00007FFC77FE99BC obtained via GetFunctionAddress\n2026-05-28 18:03:01,317 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'\n2026-05-28 18:03:01,319 [root] DEBUG: 9816: YaraInit: Compiled rules loaded from existing file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:03:01,353 [root] DEBUG: 9716: set_hooks: Unable to hook LockResource\n2026-05-28 18:03:01,380 [root] DEBUG: 9816: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:03:01,457 [root] DEBUG: 9716: Hooked 627 out of 628 functions\n2026-05-28 18:03:01,461 [root] DEBUG: 9816: Monitor initialised: 64-bit capemon loaded in process 9816 at 0x00007FFC33AB0000, thread 9648, image base 0x00007FF6209B0000, stack from 0x000000DA57190000-0x000000DA571A0000\n2026-05-28 18:03:01,475 [root] DEBUG: 9716: Syscall hook installed, syscall logging level 1\n2026-05-28 18:03:01,490 [root] DEBUG: 9816: Commandline: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\n2026-05-28 18:03:01,534 [root] DEBUG: 9716: RestoreHeaders: Restored original import table.\n2026-05-28 18:03:01,538 [root] DEBUG: 9816: Hooked 69 out of 69 functions\n2026-05-28 18:03:01,563 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 9716 (handle 0xa60): 0x00007FF699DF0000.\n2026-05-28 18:03:01,583 [root] INFO: Loaded monitor into process with pid 9716\n2026-05-28 18:03:01,598 [root] DEBUG: 9816: RestoreHeaders: Restored original import table.\n2026-05-28 18:03:01,604 [root] DEBUG: 9716: caller_dispatch: Added region at 0x00007FF699DF0000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF699DF1349, thread 9720).\n2026-05-28 18:03:01,608 [root] INFO: Loaded monitor into process with pid 9816\n2026-05-28 18:03:01,624 [root] DEBUG: 9716: YaraScan: Scanning 0x00007FF699DF0000, size 0x8026\n2026-05-28 18:03:01,641 [root] DEBUG: 9816: DLL loaded at 0x00007FFC734B0000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-05-28 18:03:01,664 [root] DEBUG: 9716: ProcessImageBase: Main module image at 0x00007FF699DF0000 unmodified (entropy change 0.000000e+00)\n2026-05-28 18:03:01,692 [root] DEBUG: 9816: DLL loaded at 0x00007FFC75FA0000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2026-05-28 18:03:01,704 [root] DEBUG: 9716: DLL loaded at 0x00007FFC734B0000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-05-28 18:03:01,738 [root] DEBUG: 9716: DLL loaded at 0x00007FFC75FA0000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2026-05-28 18:03:01,783 [root] DEBUG: 9816: DLL loaded at 0x00007FFC765F0000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-05-28 18:03:01,822 [root] DEBUG: 9716: DLL loaded at 0x00007FFC765F0000: C:\\Windows\\System32\\clbcatq (0xa9000 bytes).\n2026-05-28 18:03:01,857 [lib.api.process] INFO: Monitor config for process 8196: C:\\_a4sjgfa\\dll\\8196.ini\n2026-05-28 18:03:01,931 [lib.api.process] INFO: Option 'interactive' with value '1' sent to monitor\n2026-05-28 18:03:01,943 [lib.api.process] INFO: 64-bit DLL to inject is C:\\_a4sjgfa\\dll\\tHnPbxs.dll, loader C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:03:02,001 [root] DEBUG: 9716: DLL loaded at 0x00007FFC730A0000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-05-28 18:03:02,029 [root] DEBUG: Loader: Injecting process 8196 with C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:02,090 [root] DEBUG: 8196: Python path set to 'C:\\Users\\admin\\AppData\\Local\\Python\\pythoncore-3.14-64'.\n2026-05-28 18:03:02,158 [root] DEBUG: 9716: DLL loaded at 0x00007FFC74BA0000: C:\\Windows\\system32\\logoncli (0x43000 bytes).\n2026-05-28 18:03:02,176 [root] DEBUG: 8196: Disabling sleep skipping.\n2026-05-28 18:03:02,193 [root] DEBUG: 9716: DLL loaded at 0x00007FFC74B80000: C:\\Windows\\system32\\netutils (0xc000 bytes).\n2026-05-28 18:03:02,213 [root] DEBUG: 8196: Interactive desktop enabled.\n2026-05-28 18:03:02,224 [root] DEBUG: 9716: DLL loaded at 0x00007FFC6E0A0000: C:\\Windows\\system32\\dhcpcsvc (0x1d000 bytes).\n2026-05-28 18:03:02,245 [root] DEBUG: 8196: Dropped file limit defaulting to 100.\n2026-05-28 18:03:02,250 [root] DEBUG: 9716: DLL loaded at 0x00007FFC707B0000: C:\\Windows\\system32\\WINHTTP (0x10a000 bytes).\n2026-05-28 18:03:02,282 [root] DEBUG: 8196: Services hook set enabled\n2026-05-28 18:03:02,302 [root] DEBUG: 9716: DLL loaded at 0x00007FFC747F0000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2026-05-28 18:03:02,356 [root] DEBUG: 8196: YaraInit: Compiled rules loaded from existing file C:\\_a4sjgfa\\data\\yara\\capemon.yac\n2026-05-28 18:03:02,392 [root] DEBUG: 9716: DLL loaded at 0x00007FFC775B0000: C:\\Windows\\System32\\shcore (0xad000 bytes).\n2026-05-28 18:03:02,393 [root] DEBUG: 8196: RtlInsertInvertedFunctionTable 0x00007FFC77FE090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC7813D4F0\n2026-05-28 18:03:02,410 [root] DEBUG: 9716: DLL loaded at 0x00007FFC74A70000: C:\\Windows\\system32\\IPHLPAPI (0x3b000 bytes).\n2026-05-28 18:03:02,430 [root] DEBUG: 8196: Monitor initialised: 64-bit capemon loaded in process 8196 at 0x00007FFC33AB0000, thread 2780, image base 0x00007FF780360000, stack from 0x00000093D7AF4000-0x00000093D7B00000\n2026-05-28 18:03:02,444 [root] DEBUG: 9716: DLL loaded at 0x00007FFC75560000: C:\\Windows\\system32\\USERENV (0x2e000 bytes).\n2026-05-28 18:03:02,447 [root] DEBUG: 8196: Commandline: C:\\Windows\\system32\\svchost.exe -k netsvcs -p\n2026-05-28 18:03:02,488 [root] DEBUG: 9716: DLL loaded at 0x00007FFC755E0000: C:\\Windows\\system32\\profapi (0x25000 bytes).\n2026-05-28 18:03:02,525 [root] DEBUG: 8196: Hooked 69 out of 69 functions\n2026-05-28 18:03:02,552 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 4608, handle 0xa60: C:\\_a4sjgfa\\bin\\GGsGuLID.exe\n2026-05-28 18:03:02,566 [root] INFO: Loaded monitor into process with pid 8196\n2026-05-28 18:03:02,584 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 4608 (handle 0xa74): 0x00007FF79BBD0000.\n2026-05-28 18:03:02,606 [root] DEBUG: 9716: DLL loaded at 0x00007FFC711F0000: C:\\Windows\\system32\\XmlLite (0x36000 bytes).\n2026-05-28 18:03:02,615 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-05-28 18:03:02,645 [root] DEBUG: 9716: DLL loaded at 0x00007FFC74AB0000: C:\\Windows\\system32\\DNSAPI (0xca000 bytes).\n2026-05-28 18:03:02,653 [root] DEBUG: Successfully injected DLL C:\\_a4sjgfa\\dll\\tHnPbxs.dll.\n2026-05-28 18:03:02,683 [root] DEBUG: 9716: DLL loaded at 0x00007FFC1A000000: C:\\Windows\\system32\\domgmt (0x86000 bytes).\n2026-05-28 18:03:02,723 [lib.api.process] INFO: Injected into 64-bit \n2026-05-28 18:03:02,754 [root] DEBUG: 9716: DLL loaded at 0x00007FFC771D0000: C:\\Windows\\System32\\NSI (0x8000 bytes).\n2026-05-28 18:03:02,785 [root] DEBUG: 9716: DLL loaded at 0x00007FFC66790000: C:\\Windows\\System32\\OneCoreCommonProxyStub (0x7f000 bytes).\n2026-05-28 18:03:04,615 [root] DEBUG: 4584: DLL loaded at 0x00007FFC601B0000: C:\\Windows\\System32\\wscinterop (0x3d000 bytes).\n2026-05-28 18:03:04,625 [root] DEBUG: 4584: DLL loaded at 0x00007FFC6A330000: C:\\Windows\\System32\\WSCAPI (0x4d000 bytes).\n2026-05-28 18:03:04,652 [root] DEBUG: 4584: DLL loaded at 0x00007FFC50D30000: C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\\gdiplus (0x1a5000 bytes).\n2026-05-28 18:03:04,677 [root] DEBUG: 4584: DLL loaded at 0x00007FFC63BE0000: C:\\Windows\\System32\\wscui.cpl (0x19000 bytes).\n2026-05-28 18:03:04,738 [root] DEBUG: 4584: DLL loaded at 0x00007FFC19950000: C:\\Windows\\System32\\framedynos (0x52000 bytes).\n2026-05-28 18:03:04,797 [root] DEBUG: 4584: DLL loaded at 0x00007FFC732A0000: C:\\Windows\\System32\\wer (0xde000 bytes).\n2026-05-28 18:03:04,830 [root] DEBUG: 9816: DLL loaded at 0x00007FFC61080000: C:\\Windows\\system32\\wbem\\wbemprox (0x11000 bytes).\n2026-05-28 18:03:04,830 [root] DEBUG: 4584: DLL loaded at 0x00007FFC199B0000: C:\\Windows\\System32\\werconcpl (0xde000 bytes).\n2026-05-28 18:03:04,879 [root] DEBUG: 4584: DLL loaded at 0x00007FFC5FAF0000: C:\\Windows\\System32\\hcproviders (0x14000 bytes).\n2026-05-28 18:03:04,895 [root] DEBUG: 9816: DLL loaded at 0x00007FFC63BB0000: C:\\Windows\\system32\\wbem\\wbemsvc (0x14000 bytes).\n2026-05-28 18:03:04,968 [root] DEBUG: 4584: DLL loaded at 0x00007FFC19860000: C:\\Windows\\System32\\ieproxy (0xee000 bytes).\n2026-05-28 18:03:05,118 [root] DEBUG: 9816: DLL loaded at 0x00007FFC708E0000: C:\\Windows\\system32\\wbem\\wmiutils (0x28000 bytes).\n2026-05-28 18:03:05,332 [root] DEBUG: 9816: DLL loaded at 0x00007FFC75460000: C:\\Windows\\SYSTEM32\\powrprof (0x4b000 bytes).\n2026-05-28 18:03:05,363 [root] DEBUG: 9816: DLL loaded at 0x00007FFC19950000: C:\\Windows\\SYSTEM32\\framedynos (0x52000 bytes).\n2026-05-28 18:03:05,411 [root] DEBUG: 9816: DLL loaded at 0x00007FFC19650000: C:\\Windows\\system32\\wbem\\cimwin32 (0x20c000 bytes).\n2026-05-28 18:03:05,449 [root] DEBUG: 9816: DLL loaded at 0x00007FFC75440000: C:\\Windows\\SYSTEM32\\UMPDC (0x12000 bytes).\n2026-05-28 18:03:05,551 [root] DEBUG: 9816: DLL loaded at 0x000002C2EE1B0000: C:\\Windows\\SYSTEM32\\WMI (0x3000 bytes).\n2026-05-28 18:03:05,567 [root] DEBUG: 9816: DLL loaded at 0x00007FFC6F2C0000: C:\\Windows\\SYSTEM32\\wmiclnt (0x11000 bytes).\n2026-05-28 18:03:05,624 [root] DEBUG: 9816: CreateThreadBreakpoints: Failed to open thread and get a handle.\n2026-05-28 18:03:06,551 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 11284, handle 0xa60: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:03:06,589 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 11284 (handle 0xa60): 0x00007FF780360000.\n2026-05-28 18:03:06,628 [root] DEBUG: 7912: OpenProcessHandler: Injection info created for process 11304, handle 0xa60: C:\\Windows\\System32\\svchost.exe\n2026-05-28 18:03:06,665 [root] DEBUG: 7912: OpenProcessHandler: Image base for process 11304 (handle 0xa60): 0x00007FF780360000.\n2026-05-28 18:03:07,932 [root] INFO: Process with pid 9716 has terminated\n2026-05-28 18:03:08,022 [root] DEBUG: 9716: NtTerminateProcess hook: Attempting to dump process 9716\n2026-05-28 18:03:08,093 [root] DEBUG: 9716: DoProcessDump: Skipping process dump as code is identical on disk.\n", "errors": [] }, "network": {}, "url": { "whois": "Name: None\nCountry: None\nState: None\nCity: None\nZIP Code: None\nAddress: None\n\nOrginization: None\nDomain Name(s):\n SUGARCRAFT.NET\nCreation Date:\n 2026-04-13 16:52:11\nUpdated Date:\n 2026-04-13 17:06:24\nExpiration Date:\n 2027-04-13 16:52:11\nEmail(s):\n abuse-tracker@hostinger.com\n\nRegistrar(s):\n HOSTINGER operations, UAB\nName Server(s):\n DNS23.HOSTWARE.COM.TR\n DNS24.HOSTWARE.COM.TR\nReferral URL(s):\n None", "virustotal": { "error": true, "msg": "Unable to complete connection to VirusTotal. Status code: 429" } }, "target": { "category": "url" }, "url_analysis": { "url": "https://sugarcraft.net/" }, "procmemory": [], "signatures": [ { "name": "antivm_checks_available_memory", "description": "Checks available memory", "categories": [ "antivm" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 3817 }, { "type": "call", "pid": 7912, "cid": 7675 }, { "type": "call", "pid": 7912, "cid": 14835 }, { "type": "call", "pid": 7912, "cid": 18532 }, { "type": "call", "pid": 7912, "cid": 18869 }, { "type": "call", "pid": 7912, "cid": 19111 }, { "type": "call", "pid": 7912, "cid": 19163 }, { "type": "call", "pid": 7912, "cid": 19430 }, { "type": "call", "pid": 7912, "cid": 19669 }, { "type": "call", "pid": 7912, "cid": 19772 }, { "type": "call", "pid": 7912, "cid": 19857 }, { "type": "call", "pid": 7912, "cid": 20015 }, { "type": "call", "pid": 7912, "cid": 20086 }, { "type": "call", "pid": 7912, "cid": 20152 }, { "type": "call", "pid": 7912, "cid": 20241 }, { "type": "call", "pid": 7912, "cid": 20816 }, { "type": "call", "pid": 7912, "cid": 20918 }, { "type": "call", "pid": 7912, "cid": 21357 }, { "type": "call", "pid": 7912, "cid": 21526 }, { "type": "call", "pid": 7912, "cid": 21593 }, { "type": "call", "pid": 7912, "cid": 21660 }, { "type": "call", "pid": 7912, "cid": 21727 }, { "type": "call", "pid": 7912, "cid": 21794 }, { "type": "call", "pid": 7912, "cid": 21861 }, { "type": "call", "pid": 7912, "cid": 21930 }, { "type": "call", "pid": 7912, "cid": 21998 }, { "type": "call", "pid": 7912, "cid": 22065 }, { "type": "call", "pid": 7912, "cid": 22133 }, { "type": "call", "pid": 7912, "cid": 22200 }, { "type": "call", "pid": 7912, "cid": 22267 }, { "type": "call", "pid": 7912, "cid": 22334 }, { "type": "call", "pid": 7912, "cid": 22401 }, { "type": "call", "pid": 7912, "cid": 22468 }, { "type": "call", "pid": 7912, "cid": 22535 }, { "type": "call", "pid": 7912, "cid": 22602 }, { "type": "call", "pid": 7912, "cid": 22669 }, { "type": "call", "pid": 7912, "cid": 22736 }, { "type": "call", "pid": 7912, "cid": 22844 }, { "type": "call", "pid": 7912, "cid": 22898 }, { "type": "call", "pid": 7912, "cid": 22989 }, { "type": "call", "pid": 7912, "cid": 23056 }, { "type": "call", "pid": 7912, "cid": 23128 }, { "type": "call", "pid": 7912, "cid": 23218 }, { "type": "call", "pid": 7912, "cid": 23871 }, { "type": "call", "pid": 7912, "cid": 24130 }, { "type": "call", "pid": 7912, "cid": 24300 }, { "type": "call", "pid": 7912, "cid": 24459 }, { "type": "call", "pid": 7912, "cid": 24514 }, { "type": "call", "pid": 7912, "cid": 24570 }, { "type": "call", "pid": 7912, "cid": 24672 }, { "type": "call", "pid": 7912, "cid": 24728 }, { "type": "call", "pid": 7912, "cid": 24785 }, { "type": "call", "pid": 7912, "cid": 24841 }, { "type": "call", "pid": 7912, "cid": 24897 }, { "type": "call", "pid": 7912, "cid": 24953 }, { "type": "call", "pid": 7912, "cid": 25010 }, { "type": "call", "pid": 7912, "cid": 25065 }, { "type": "call", "pid": 7912, "cid": 25106 }, { "type": "call", "pid": 7912, "cid": 25175 }, { "type": "call", "pid": 7912, "cid": 25232 }, { "type": "call", "pid": 7912, "cid": 25297 }, { "type": "call", "pid": 7912, "cid": 25382 }, { "type": "call", "pid": 7912, "cid": 25441 }, { "type": "call", "pid": 7912, "cid": 25494 }, { "type": "call", "pid": 7912, "cid": 26110 }, { "type": "call", "pid": 7912, "cid": 26205 }, { "type": "call", "pid": 7912, "cid": 26330 }, { "type": "call", "pid": 7912, "cid": 26386 }, { "type": "call", "pid": 7912, "cid": 26442 }, { "type": "call", "pid": 7912, "cid": 26506 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_computer_name", "description": "Queries computer hostname", "categories": [ "system_discovery" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 1748 }, { "type": "call", "pid": 7912, "cid": 2361 }, { "type": "call", "pid": 7912, "cid": 2426 }, { "type": "call", "pid": 7912, "cid": 14163 }, { "type": "call", "pid": 7912, "cid": 14165 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_keyboard_layout", "description": "Queries the keyboard layout", "categories": [ "location_discovery" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 624 }, { "type": "call", "pid": 7912, "cid": 649 }, { "type": "call", "pid": 7912, "cid": 785 }, { "type": "call", "pid": 7912, "cid": 906 }, { "type": "call", "pid": 7912, "cid": 912 }, { "type": "call", "pid": 7912, "cid": 3388 }, { "type": "call", "pid": 7912, "cid": 3402 }, { "type": "call", "pid": 7912, "cid": 3593 }, { "type": "call", "pid": 7912, "cid": 9148 }, { "type": "call", "pid": 7912, "cid": 9150 }, { "type": "call", "pid": 7912, "cid": 18833 }, { "type": "call", "pid": 7912, "cid": 19154 }, { "type": "call", "pid": 7912, "cid": 19287 }, { "type": "call", "pid": 7912, "cid": 19290 }, { "type": "call", "pid": 7912, "cid": 23119 }, { "type": "call", "pid": 7912, "cid": 23189 }, { "type": "call", "pid": 7912, "cid": 24076 }, { "type": "call", "pid": 7912, "cid": 24079 }, { "type": "call", "pid": 9716, "cid": 716 } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 458 }, { "type": "call", "pid": 7912, "cid": 534 }, { "type": "call", "pid": 7912, "cid": 6964 }, { "type": "call", "pid": 7912, "cid": 7106 } ], "new_data": [], "alert": false, "families": [] }, { "name": "accesses_public_folder", "description": "A file was accessed within the Public folder.", "categories": [ "generic" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "file": "C:\\Users\\Public\\Desktop\\GGsGuLID.exe" }, { "file": "C:\\Users\\Public\\Desktop" } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 225 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antivm_network_adapters", "description": "Checks adapter addresses which can be used to detect virtual network interfaces", "categories": [ "anti-vm" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 14981 } ], "new_data": [], "alert": false, "families": [] }, { "name": "stealth_timeout", "description": "Possible date expiration check, exits too soon after checking local time", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "process": "dllhost.exe, PID 9716" }, { "type": "call", "pid": 9716, "cid": 791 } ], "new_data": [], "alert": false, "families": [] }, { "name": "language_check_registry", "description": "Checks system language via registry key (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-AU" }, { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-AU" } ], "new_data": [], "alert": false, "families": [] }, { "name": "mouse_movement_detect", "description": "Checks for mouse movement", "categories": [ "anti-sandbox" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 11012 }, { "type": "call", "pid": 7912, "cid": 11508 }, { "type": "call", "pid": 7912, "cid": 11513 }, { "type": "call", "pid": 7912, "cid": 12703 }, { "type": "call", "pid": 7912, "cid": 12716 }, { "type": "call", "pid": 7912, "cid": 12776 }, { "type": "call", "pid": 7912, "cid": 14001 }, { "type": "call", "pid": 7912, "cid": 14034 }, { "type": "call", "pid": 7912, "cid": 14126 }, { "type": "call", "pid": 7912, "cid": 14127 }, { "type": "call", "pid": 7912, "cid": 14129 }, { "type": "call", "pid": 7912, "cid": 14131 }, { "type": "call", "pid": 7912, "cid": 14142 }, { "type": "call", "pid": 7912, "cid": 14144 }, { "type": "call", "pid": 7912, "cid": 15023 }, { "type": "call", "pid": 7912, "cid": 15137 }, { "type": "call", "pid": 7912, "cid": 15270 }, { "type": "call", "pid": 7912, "cid": 15391 }, { "type": "call", "pid": 7912, "cid": 15829 }, { "type": "call", "pid": 7912, "cid": 15836 }, { "type": "call", "pid": 7912, "cid": 16310 }, { "type": "call", "pid": 7912, "cid": 16312 }, { "type": "call", "pid": 7912, "cid": 16324 }, { "type": "call", "pid": 7912, "cid": 16787 }, { "type": "call", "pid": 7912, "cid": 16794 }, { "type": "call", "pid": 7912, "cid": 16963 }, { "type": "call", "pid": 7912, "cid": 17422 }, { "type": "call", "pid": 7912, "cid": 17424 }, { "type": "call", "pid": 7912, "cid": 17935 }, { "type": "call", "pid": 7912, "cid": 17942 }, { "type": "call", "pid": 7912, "cid": 18335 }, { "type": "call", "pid": 7912, "cid": 18502 }, { "type": "call", "pid": 7912, "cid": 18576 }, { "type": "call", "pid": 7912, "cid": 18841 }, { "type": "call", "pid": 7912, "cid": 18847 }, { "type": "call", "pid": 7912, "cid": 18850 }, { "type": "call", "pid": 7912, "cid": 19017 }, { "type": "call", "pid": 7912, "cid": 19019 }, { "type": "call", "pid": 7912, "cid": 19021 }, { "type": "call", "pid": 7912, "cid": 19022 }, { "type": "call", "pid": 7912, "cid": 19024 }, { "type": "call", "pid": 7912, "cid": 19026 }, { "type": "call", "pid": 7912, "cid": 19028 }, { "type": "call", "pid": 7912, "cid": 19030 }, { "type": "call", "pid": 7912, "cid": 19033 }, { "type": "call", "pid": 7912, "cid": 19035 }, { "type": "call", "pid": 7912, "cid": 19037 }, { "type": "call", "pid": 7912, "cid": 19039 }, { "type": "call", "pid": 7912, "cid": 19041 }, { "type": "call", "pid": 7912, "cid": 19043 }, { "type": "call", "pid": 7912, "cid": 19045 }, { "type": "call", "pid": 7912, "cid": 19047 }, { "type": "call", "pid": 7912, "cid": 19049 }, { "type": "call", "pid": 7912, "cid": 19051 }, { "type": "call", "pid": 7912, "cid": 19052 }, { "type": "call", "pid": 7912, "cid": 19054 }, { "type": "call", "pid": 7912, "cid": 19056 }, { "type": "call", "pid": 7912, "cid": 19057 }, { "type": "call", "pid": 7912, "cid": 19059 }, { "type": "call", "pid": 7912, "cid": 19061 }, { "type": "call", "pid": 7912, "cid": 19063 }, { "type": "call", "pid": 7912, "cid": 19065 }, { "type": "call", "pid": 7912, "cid": 19067 }, { "type": "call", "pid": 7912, "cid": 19069 }, { "type": "call", "pid": 7912, "cid": 19071 }, { "type": "call", "pid": 7912, "cid": 19072 }, { "type": "call", "pid": 7912, "cid": 19074 }, { "type": "call", "pid": 7912, "cid": 19076 }, { "type": "call", "pid": 7912, "cid": 19078 }, { "type": "call", "pid": 7912, "cid": 19080 }, { "type": "call", "pid": 7912, "cid": 19082 }, { "type": "call", "pid": 7912, "cid": 19084 }, { "type": "call", "pid": 7912, "cid": 19086 }, { "type": "call", "pid": 7912, "cid": 19143 }, { "type": "call", "pid": 7912, "cid": 19150 }, { "type": "call", "pid": 7912, "cid": 19152 }, { "type": "call", "pid": 7912, "cid": 19177 }, { "type": "call", "pid": 7912, "cid": 19202 }, { "type": "call", "pid": 7912, "cid": 19285 }, { "type": "call", "pid": 7912, "cid": 19289 }, { "type": "call", "pid": 7912, "cid": 19404 }, { "type": "call", "pid": 7912, "cid": 19408 }, { "type": "call", "pid": 7912, "cid": 19412 }, { "type": "call", "pid": 7912, "cid": 19416 }, { "type": "call", "pid": 7912, "cid": 19587 }, { "type": "call", "pid": 7912, "cid": 19590 }, { "type": "call", "pid": 7912, "cid": 19592 }, { "type": "call", "pid": 7912, "cid": 19594 }, { "type": "call", "pid": 7912, "cid": 19596 }, { "type": "call", "pid": 7912, "cid": 19598 }, { "type": "call", "pid": 7912, "cid": 19600 }, { "type": "call", "pid": 7912, "cid": 19601 }, { "type": "call", "pid": 7912, "cid": 19603 }, { "type": "call", "pid": 7912, "cid": 19604 }, { "type": "call", "pid": 7912, "cid": 19606 }, { "type": "call", "pid": 7912, "cid": 19608 }, { "type": "call", "pid": 7912, "cid": 19610 }, { "type": "call", "pid": 7912, "cid": 19611 }, { "type": "call", "pid": 7912, "cid": 19613 }, { "type": "call", "pid": 7912, "cid": 19614 }, { "type": "call", "pid": 7912, "cid": 19616 }, { "type": "call", "pid": 7912, "cid": 19617 }, { "type": "call", "pid": 7912, "cid": 19618 }, { "type": "call", "pid": 7912, "cid": 19620 }, { "type": "call", "pid": 7912, "cid": 19621 }, { "type": "call", "pid": 7912, "cid": 19623 }, { "type": "call", "pid": 7912, "cid": 19624 }, { "type": "call", "pid": 7912, "cid": 19625 }, { "type": "call", "pid": 7912, "cid": 19627 }, { "type": "call", "pid": 7912, "cid": 19629 }, { "type": "call", "pid": 7912, "cid": 19631 }, { "type": "call", "pid": 7912, "cid": 19633 }, { "type": "call", "pid": 7912, "cid": 19635 }, { "type": "call", "pid": 7912, "cid": 19637 }, { "type": "call", "pid": 7912, "cid": 19639 }, { "type": "call", "pid": 7912, "cid": 19641 }, { "type": "call", "pid": 7912, "cid": 19643 }, { "type": "call", "pid": 7912, "cid": 19645 }, { "type": "call", "pid": 7912, "cid": 19647 }, { "type": "call", "pid": 7912, "cid": 19649 }, { "type": "call", "pid": 7912, "cid": 19651 }, { "type": "call", "pid": 7912, "cid": 19653 }, { "type": "call", "pid": 7912, "cid": 19655 }, { "type": "call", "pid": 7912, "cid": 19657 }, { "type": "call", "pid": 7912, "cid": 19659 }, { "type": "call", "pid": 7912, "cid": 19661 }, { "type": "call", "pid": 7912, "cid": 19684 }, { "type": "call", "pid": 7912, "cid": 19696 }, { "type": "call", "pid": 7912, "cid": 19698 }, { "type": "call", "pid": 7912, "cid": 19733 }, { "type": "call", "pid": 7912, "cid": 19735 }, { "type": "call", "pid": 7912, "cid": 19737 }, { "type": "call", "pid": 7912, "cid": 19739 }, { "type": "call", "pid": 7912, "cid": 19742 }, { "type": "call", "pid": 7912, "cid": 19743 }, { "type": "call", "pid": 7912, "cid": 19745 }, { "type": "call", "pid": 7912, "cid": 19747 }, { "type": "call", "pid": 7912, "cid": 19749 }, { "type": "call", "pid": 7912, "cid": 19751 }, { "type": "call", "pid": 7912, "cid": 19753 }, { "type": "call", "pid": 7912, "cid": 19755 }, { "type": "call", "pid": 7912, "cid": 19757 }, { "type": "call", "pid": 7912, "cid": 19759 }, { "type": "call", "pid": 7912, "cid": 19761 }, { "type": "call", "pid": 7912, "cid": 19763 }, { "type": "call", "pid": 7912, "cid": 19834 }, { "type": "call", "pid": 7912, "cid": 19836 }, { "type": "call", "pid": 7912, "cid": 19838 }, { "type": "call", "pid": 7912, "cid": 19840 }, { "type": "call", "pid": 7912, "cid": 19842 }, { "type": "call", "pid": 7912, "cid": 19844 }, { "type": "call", "pid": 7912, "cid": 19846 }, { "type": "call", "pid": 7912, "cid": 19847 }, { "type": "call", "pid": 7912, "cid": 19849 }, { "type": "call", "pid": 7912, "cid": 19916 }, { "type": "call", "pid": 7912, "cid": 19918 }, { "type": "call", "pid": 7912, "cid": 19920 }, { "type": "call", "pid": 7912, "cid": 19923 }, { "type": "call", "pid": 7912, "cid": 19925 }, { "type": "call", "pid": 7912, "cid": 19927 }, { "type": "call", "pid": 7912, "cid": 19929 }, { "type": "call", "pid": 7912, "cid": 19931 }, { "type": "call", "pid": 7912, "cid": 19932 }, { "type": "call", "pid": 7912, "cid": 19934 }, { "type": "call", "pid": 7912, "cid": 19936 }, { "type": "call", "pid": 7912, "cid": 19938 }, { "type": "call", "pid": 7912, "cid": 19940 }, { "type": "call", "pid": 7912, "cid": 19942 }, { "type": "call", "pid": 7912, "cid": 19944 }, { "type": "call", "pid": 7912, "cid": 19946 }, { "type": "call", "pid": 7912, "cid": 19948 }, { "type": "call", "pid": 7912, "cid": 19950 }, { "type": "call", "pid": 7912, "cid": 19952 }, { "type": "call", "pid": 7912, "cid": 19954 }, { "type": "call", "pid": 7912, "cid": 19956 }, { "type": "call", "pid": 7912, "cid": 19958 }, { "type": "call", "pid": 7912, "cid": 19960 }, { "type": "call", "pid": 7912, "cid": 19962 }, { "type": "call", "pid": 7912, "cid": 19964 }, { "type": "call", "pid": 7912, "cid": 19966 }, { "type": "call", "pid": 7912, "cid": 19968 }, { "type": "call", "pid": 7912, "cid": 19970 }, { "type": "call", "pid": 7912, "cid": 19972 }, { "type": "call", "pid": 7912, "cid": 19974 }, { "type": "call", "pid": 7912, "cid": 19975 }, { "type": "call", "pid": 7912, "cid": 19977 }, { "type": "call", "pid": 7912, "cid": 19979 }, { "type": "call", "pid": 7912, "cid": 19981 }, { "type": "call", "pid": 7912, "cid": 19983 }, { "type": "call", "pid": 7912, "cid": 19985 }, { "type": "call", "pid": 7912, "cid": 19987 }, { "type": "call", "pid": 7912, "cid": 19989 }, { "type": "call", "pid": 7912, "cid": 19991 }, { "type": "call", "pid": 7912, "cid": 19993 }, { "type": "call", "pid": 7912, "cid": 20062 }, { "type": "call", "pid": 7912, "cid": 20065 }, { "type": "call", "pid": 7912, "cid": 20069 }, { "type": "call", "pid": 7912, "cid": 20072 }, { "type": "call", "pid": 7912, "cid": 20997 }, { "type": "call", "pid": 7912, "cid": 20998 }, { "type": "call", "pid": 7912, "cid": 21000 }, { "type": "call", "pid": 7912, "cid": 21002 }, { "type": "call", "pid": 7912, "cid": 21004 }, { "type": "call", "pid": 7912, "cid": 21006 }, { "type": "call", "pid": 7912, "cid": 21019 }, { "type": "call", "pid": 7912, "cid": 21021 }, { "type": "call", "pid": 7912, "cid": 21023 }, { "type": "call", "pid": 7912, "cid": 21025 }, { "type": "call", "pid": 7912, "cid": 21027 }, { "type": "call", "pid": 7912, "cid": 21029 }, { "type": "call", "pid": 7912, "cid": 21030 }, { "type": "call", "pid": 7912, "cid": 21032 }, { "type": "call", "pid": 7912, "cid": 21082 }, { "type": "call", "pid": 7912, "cid": 21084 }, { "type": "call", "pid": 7912, "cid": 21086 }, { "type": "call", "pid": 7912, "cid": 21088 }, { "type": "call", "pid": 7912, "cid": 21091 }, { "type": "call", "pid": 7912, "cid": 21094 }, { "type": "call", "pid": 7912, "cid": 21096 }, { "type": "call", "pid": 7912, "cid": 21098 }, { "type": "call", "pid": 7912, "cid": 21101 }, { "type": "call", "pid": 7912, "cid": 21154 }, { "type": "call", "pid": 7912, "cid": 21244 }, { "type": "call", "pid": 7912, "cid": 21276 }, { "type": "call", "pid": 7912, "cid": 21278 }, { "type": "call", "pid": 7912, "cid": 21280 }, { "type": "call", "pid": 7912, "cid": 21282 }, { "type": "call", "pid": 7912, "cid": 21284 }, { "type": "call", "pid": 7912, "cid": 21286 }, { "type": "call", "pid": 7912, "cid": 21288 }, { "type": "call", "pid": 7912, "cid": 21290 }, { "type": "call", "pid": 7912, "cid": 21292 }, { "type": "call", "pid": 7912, "cid": 21294 }, { "type": "call", "pid": 7912, "cid": 21296 }, { "type": "call", "pid": 7912, "cid": 21298 }, { "type": "call", "pid": 7912, "cid": 21300 }, { "type": "call", "pid": 7912, "cid": 21302 }, { "type": "call", "pid": 7912, "cid": 21304 }, { "type": "call", "pid": 7912, "cid": 21306 }, { "type": "call", "pid": 7912, "cid": 21308 }, { "type": "call", "pid": 7912, "cid": 21310 }, { "type": "call", "pid": 7912, "cid": 21312 }, { "type": "call", "pid": 7912, "cid": 21314 }, { "type": "call", "pid": 7912, "cid": 21316 }, { "type": "call", "pid": 7912, "cid": 21318 }, { "type": "call", "pid": 7912, "cid": 21320 }, { "type": "call", "pid": 7912, "cid": 21322 }, { "type": "call", "pid": 7912, "cid": 21324 }, { "type": "call", "pid": 7912, "cid": 21326 }, { "type": "call", "pid": 7912, "cid": 21328 }, { "type": "call", "pid": 7912, "cid": 21330 }, { "type": "call", "pid": 7912, "cid": 21332 }, { "type": "call", "pid": 7912, "cid": 21334 }, { "type": "call", "pid": 7912, "cid": 21336 }, { "type": "call", "pid": 7912, "cid": 21338 }, { "type": "call", "pid": 7912, "cid": 21340 }, { "type": "call", "pid": 7912, "cid": 21342 }, { "type": "call", "pid": 7912, "cid": 21343 }, { "type": "call", "pid": 7912, "cid": 21349 }, { "type": "call", "pid": 7912, "cid": 21418 }, { "type": "call", "pid": 7912, "cid": 21420 }, { "type": "call", "pid": 7912, "cid": 21424 }, { "type": "call", "pid": 7912, "cid": 21428 }, { "type": "call", "pid": 7912, "cid": 21432 }, { "type": "call", "pid": 7912, "cid": 21436 }, { "type": "call", "pid": 7912, "cid": 21440 }, { "type": "call", "pid": 7912, "cid": 21447 }, { "type": "call", "pid": 7912, "cid": 21451 }, { "type": "call", "pid": 7912, "cid": 21454 }, { "type": "call", "pid": 7912, "cid": 21458 }, { "type": "call", "pid": 7912, "cid": 21462 }, { "type": "call", "pid": 7912, "cid": 21466 }, { "type": "call", "pid": 7912, "cid": 21470 }, { "type": "call", "pid": 7912, "cid": 21474 }, { "type": "call", "pid": 7912, "cid": 21478 }, { "type": "call", "pid": 7912, "cid": 21482 }, { "type": "call", "pid": 7912, "cid": 21486 }, { "type": "call", "pid": 7912, "cid": 21490 }, { "type": "call", "pid": 7912, "cid": 21494 }, { "type": "call", "pid": 7912, "cid": 21498 }, { "type": "call", "pid": 7912, "cid": 21502 }, { "type": "call", "pid": 7912, "cid": 21506 }, { "type": "call", "pid": 7912, "cid": 21510 }, { "type": "call", "pid": 7912, "cid": 21514 }, { "type": "call", "pid": 7912, "cid": 24089 }, { "type": "call", "pid": 7912, "cid": 24090 }, { "type": "call", "pid": 7912, "cid": 24092 }, { "type": "call", "pid": 7912, "cid": 24094 }, { "type": "call", "pid": 7912, "cid": 24096 }, { "type": "call", "pid": 7912, "cid": 24097 }, { "type": "call", "pid": 7912, "cid": 24099 }, { "type": "call", "pid": 7912, "cid": 24100 }, { "type": "call", "pid": 7912, "cid": 24102 }, { "type": "call", "pid": 7912, "cid": 24160 }, { "type": "call", "pid": 7912, "cid": 24162 }, { "type": "call", "pid": 7912, "cid": 24164 }, { "type": "call", "pid": 7912, "cid": 24166 }, { "type": "call", "pid": 7912, "cid": 24168 }, { "type": "call", "pid": 7912, "cid": 24170 }, { "type": "call", "pid": 7912, "cid": 24172 }, { "type": "call", "pid": 7912, "cid": 24174 }, { "type": "call", "pid": 7912, "cid": 24176 }, { "type": "call", "pid": 7912, "cid": 24178 }, { "type": "call", "pid": 7912, "cid": 24180 }, { "type": "call", "pid": 7912, "cid": 24182 }, { "type": "call", "pid": 7912, "cid": 24184 }, { "type": "call", "pid": 7912, "cid": 24186 }, { "type": "call", "pid": 7912, "cid": 24188 }, { "type": "call", "pid": 7912, "cid": 24190 }, { "type": "call", "pid": 7912, "cid": 24192 }, { "type": "call", "pid": 7912, "cid": 24194 }, { "type": "call", "pid": 7912, "cid": 24196 }, { "type": "call", "pid": 7912, "cid": 24198 }, { "type": "call", "pid": 7912, "cid": 24203 }, { "type": "call", "pid": 7912, "cid": 24205 }, { "type": "call", "pid": 7912, "cid": 24207 }, { "type": "call", "pid": 7912, "cid": 24209 }, { "type": "call", "pid": 7912, "cid": 24211 }, { "type": "call", "pid": 7912, "cid": 24213 }, { "type": "call", "pid": 7912, "cid": 24215 }, { "type": "call", "pid": 7912, "cid": 24217 }, { "type": "call", "pid": 7912, "cid": 24219 }, { "type": "call", "pid": 7912, "cid": 24221 }, { "type": "call", "pid": 7912, "cid": 24223 }, { "type": "call", "pid": 7912, "cid": 24225 }, { "type": "call", "pid": 7912, "cid": 24227 }, { "type": "call", "pid": 7912, "cid": 24229 }, { "type": "call", "pid": 7912, "cid": 24231 }, { "type": "call", "pid": 7912, "cid": 24234 }, { "type": "call", "pid": 7912, "cid": 24235 }, { "type": "call", "pid": 7912, "cid": 24237 }, { "type": "call", "pid": 7912, "cid": 24238 }, { "type": "call", "pid": 7912, "cid": 24239 }, { "type": "call", "pid": 7912, "cid": 24242 }, { "type": "call", "pid": 7912, "cid": 24246 }, { "type": "call", "pid": 7912, "cid": 24250 }, { "type": "call", "pid": 7912, "cid": 24253 }, { "type": "call", "pid": 7912, "cid": 24257 }, { "type": "call", "pid": 7912, "cid": 24260 }, { "type": "call", "pid": 7912, "cid": 24264 }, { "type": "call", "pid": 7912, "cid": 24268 }, { "type": "call", "pid": 7912, "cid": 24273 }, { "type": "call", "pid": 7912, "cid": 24330 }, { "type": "call", "pid": 7912, "cid": 24333 }, { "type": "call", "pid": 7912, "cid": 24337 }, { "type": "call", "pid": 7912, "cid": 24341 }, { "type": "call", "pid": 7912, "cid": 24345 }, { "type": "call", "pid": 7912, "cid": 24349 }, { "type": "call", "pid": 7912, "cid": 24352 }, { "type": "call", "pid": 7912, "cid": 24356 }, { "type": "call", "pid": 7912, "cid": 24360 }, { "type": "call", "pid": 7912, "cid": 24364 }, { "type": "call", "pid": 7912, "cid": 24365 }, { "type": "call", "pid": 7912, "cid": 24367 }, { "type": "call", "pid": 7912, "cid": 24369 }, { "type": "call", "pid": 7912, "cid": 24371 }, { "type": "call", "pid": 7912, "cid": 24373 }, { "type": "call", "pid": 7912, "cid": 24375 }, { "type": "call", "pid": 7912, "cid": 24377 }, { "type": "call", "pid": 7912, "cid": 24379 }, { "type": "call", "pid": 7912, "cid": 24381 }, { "type": "call", "pid": 7912, "cid": 24383 }, { "type": "call", "pid": 7912, "cid": 24385 }, { "type": "call", "pid": 7912, "cid": 24387 }, { "type": "call", "pid": 7912, "cid": 24389 }, { "type": "call", "pid": 7912, "cid": 24391 }, { "type": "call", "pid": 7912, "cid": 24393 }, { "type": "call", "pid": 7912, "cid": 24394 }, { "type": "call", "pid": 7912, "cid": 24396 }, { "type": "call", "pid": 7912, "cid": 24398 }, { "type": "call", "pid": 7912, "cid": 24400 }, { "type": "call", "pid": 7912, "cid": 24401 }, { "type": "call", "pid": 7912, "cid": 24403 }, { "type": "call", "pid": 7912, "cid": 24418 }, { "type": "call", "pid": 7912, "cid": 24420 }, { "type": "call", "pid": 7912, "cid": 24421 }, { "type": "call", "pid": 7912, "cid": 24422 }, { "type": "call", "pid": 7912, "cid": 24427 }, { "type": "call", "pid": 7912, "cid": 24429 }, { "type": "call", "pid": 7912, "cid": 24433 }, { "type": "call", "pid": 7912, "cid": 24434 }, { "type": "call", "pid": 7912, "cid": 25876 }, { "type": "call", "pid": 7912, "cid": 25877 }, { "type": "call", "pid": 7912, "cid": 25879 }, { "type": "call", "pid": 7912, "cid": 25881 }, { "type": "call", "pid": 7912, "cid": 25883 }, { "type": "call", "pid": 7912, "cid": 25885 }, { "type": "call", "pid": 7912, "cid": 25887 }, { "type": "call", "pid": 7912, "cid": 25889 }, { "mouse_movement": "Checks for mouse movement (mouse movement observed in sandbox during sampling)." } ], "new_data": [], "alert": false, "families": [] }, { "name": "privilege_elevation_check", "description": "Queries process token information to check for Administrator privileges or UAC elevation status", "categories": [ "discovery", "privilege_escalation" ], "severity": 2, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 4810 }, { "type": "call", "pid": 7912, "cid": 4811 }, { "type": "call", "pid": 7912, "cid": 4893 }, { "type": "call", "pid": 7912, "cid": 4894 }, { "type": "call", "pid": 7912, "cid": 7049 }, { "type": "call", "pid": 7912, "cid": 7050 }, { "type": "call", "pid": 7912, "cid": 7666 }, { "type": "call", "pid": 7912, "cid": 7667 }, { "type": "call", "pid": 7912, "cid": 7694 }, { "type": "call", "pid": 7912, "cid": 7695 }, { "type": "call", "pid": 10720, "cid": 942 }, { "type": "call", "pid": 10720, "cid": 943 }, { "type": "call", "pid": 10720, "cid": 1052 }, { "type": "call", "pid": 10720, "cid": 1053 }, { "type": "call", "pid": 10720, "cid": 3441 }, { "type": "call", "pid": 10720, "cid": 3442 }, { "type": "call", "pid": 10720, "cid": 3711 }, { "type": "call", "pid": 10720, "cid": 3712 }, { "type": "call", "pid": 10720, "cid": 4027 }, { "type": "call", "pid": 10720, "cid": 4028 }, { "type": "call", "pid": 9716, "cid": 66 }, { "type": "call", "pid": 9716, "cid": 67 }, { "type": "call", "pid": 9716, "cid": 164 }, { "type": "call", "pid": 9716, "cid": 165 } ], "new_data": [], "alert": false, "families": [] }, { "name": "query_fips_reconnaissance", "description": "Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software", "categories": [ "discovery", "c2" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 328 }, { "type": "call", "pid": 7912, "cid": 329 }, { "type": "call", "pid": 7912, "cid": 332 }, { "type": "call", "pid": 7912, "cid": 334 }, { "type": "call", "pid": 7912, "cid": 335 }, { "type": "call", "pid": 9716, "cid": 46 }, { "type": "call", "pid": 9716, "cid": 47 }, { "type": "call", "pid": 9716, "cid": 50 }, { "type": "call", "pid": 9716, "cid": 52 }, { "type": "call", "pid": 9716, "cid": 53 }, { "behavioral_fips_reconnaissance": [ "dllhost.exe (PID: 9716) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "dllhost.exe (PID: 9716) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "dllhost.exe (PID: 9716) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "Taskmgr.exe (PID: 7912) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "Taskmgr.exe (PID: 7912) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "dllhost.exe (PID: 9716) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "Taskmgr.exe (PID: 7912) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "Taskmgr.exe (PID: 7912) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "Taskmgr.exe (PID: 7912) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "dllhost.exe (PID: 9716) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'" ] } ], "new_data": [], "alert": false, "families": [] }, { "name": "mountpoints_volume_discovery", "description": "Queries the mount points and then resolves volume paths to enumerate storage devices", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 4443 }, { "type": "call", "pid": 7912, "cid": 4448 }, { "type": "call", "pid": 7912, "cid": 4459 }, { "type": "call", "pid": 7912, "cid": 4494 }, { "type": "call", "pid": 7912, "cid": 4497 }, { "type": "call", "pid": 7912, "cid": 4502 }, { "type": "call", "pid": 7912, "cid": 4508 }, { "type": "call", "pid": 7912, "cid": 4511 }, { "type": "call", "pid": 7912, "cid": 4516 }, { "type": "call", "pid": 7912, "cid": 4522 }, { "type": "call", "pid": 7912, "cid": 4525 }, { "type": "call", "pid": 7912, "cid": 4530 }, { "type": "call", "pid": 7912, "cid": 4536 }, { "type": "call", "pid": 7912, "cid": 4539 }, { "type": "call", "pid": 7912, "cid": 4544 }, { "type": "call", "pid": 7912, "cid": 6150 }, { "type": "call", "pid": 7912, "cid": 19274 }, { "type": "call", "pid": 7912, "cid": 20352 }, { "type": "call", "pid": 7912, "cid": 20392 }, { "type": "call", "pid": 7912, "cid": 20746 }, { "type": "call", "pid": 7912, "cid": 23307 }, { "type": "call", "pid": 7912, "cid": 23347 }, { "type": "call", "pid": 7912, "cid": 23700 }, { "type": "call", "pid": 7912, "cid": 26257 }, { "type": "call", "pid": 10720, "cid": 3646 }, { "type": "call", "pid": 10720, "cid": 3647 }, { "type": "call", "pid": 10720, "cid": 3652 }, { "type": "call", "pid": 10720, "cid": 3662 }, { "type": "call", "pid": 10720, "cid": 4055 }, { "type": "call", "pid": 10720, "cid": 4057 }, { "type": "call", "pid": 10720, "cid": 4062 }, { "type": "call", "pid": 10720, "cid": 4071 }, { "type": "call", "pid": 10720, "cid": 4073 }, { "type": "call", "pid": 10720, "cid": 4078 }, { "type": "call", "pid": 10720, "cid": 4087 }, { "type": "call", "pid": 10720, "cid": 4089 }, { "type": "call", "pid": 10720, "cid": 4094 }, { "type": "call", "pid": 10720, "cid": 4119 }, { "type": "call", "pid": 10720, "cid": 4121 }, { "type": "call", "pid": 10720, "cid": 4126 } ], "new_data": [], "alert": false, "families": [] }, { "name": "dllload_suspicious_directory", "description": "A DLL was loaded from a suspicious directory", "categories": [ "side loading" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 9188, "cid": 119 }, { "suspicious_dll_load": "Process msedge.exe loaded a DLL from a suspicious directory, this is possibly indicative of DLL side loading/search order hijacking" } ], "new_data": [], "alert": false, "families": [] }, { "name": "registers_vectored_exception_handler", "description": "Registers a vectored exception handler (VEH), possibly to hijack execution flow", "categories": [ "evasion", "execution", "injection" ], "severity": 2, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 10720, "cid": 166 } ], "new_data": [], "alert": false, "families": [] }, { "name": "creates_suspended_process", "description": "Creates a process in a suspended state, likely for injection", "categories": [ "injection", "process hollowing" ], "severity": 2, "weight": 1, "confidence": 50, "references": [], "data": [ { "type": "call", "pid": 4584, "cid": 185 }, { "type": "call", "pid": 9188, "cid": 107 }, { "type": "call", "pid": 9188, "cid": 108 }, { "type": "call", "pid": 9188, "cid": 113 }, { "type": "call", "pid": 9188, "cid": 114 }, { "type": "call", "pid": 9188, "cid": 135 }, { "type": "call", "pid": 9188, "cid": 142 } ], "new_data": [], "alert": false, "families": [] }, { "name": "resumethread_remote_process", "description": "Resumed a thread in another process", "categories": [ "injection", "unpacking" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "thread_resumed": "Process explorer.exe with process ID 4584 resumed a thread in another process with the process ID 7912" }, { "type": "call", "pid": 4584, "cid": 200 } ], "new_data": [], "alert": false, "families": [] }, { "name": "reads_memory_remote_process", "description": "Reads from the memory of another process", "categories": [ "memory scraping", "injection" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "read_memory": "Process taskmgr.exe with process ID 7912 read from the memory of process handle 0x00000610" }, { "type": "call", "pid": 7912, "cid": 4010 }, { "type": "call", "pid": 7912, "cid": 4011 }, { "type": "call", "pid": 7912, "cid": 4109 }, { "type": "call", "pid": 7912, "cid": 4111 }, { "type": "call", "pid": 7912, "cid": 4113 }, { "type": "call", "pid": 7912, "cid": 4242 }, { "type": "call", "pid": 7912, "cid": 4244 }, { "type": "call", "pid": 7912, "cid": 4245 }, { "type": "call", "pid": 7912, "cid": 4630 }, { "type": "call", "pid": 7912, "cid": 4632 }, { "type": "call", "pid": 7912, "cid": 4633 }, { "type": "call", "pid": 7912, "cid": 4688 }, { "type": "call", "pid": 7912, "cid": 4689 }, { "type": "call", "pid": 7912, "cid": 4690 }, { "type": "call", "pid": 7912, "cid": 4870 }, { "type": "call", "pid": 7912, "cid": 5093 }, { "type": "call", "pid": 7912, "cid": 5095 }, { "type": "call", "pid": 7912, "cid": 5096 }, { "type": "call", "pid": 7912, "cid": 5184 }, { "type": "call", "pid": 7912, "cid": 5186 }, { "type": "call", "pid": 7912, "cid": 5187 }, { "type": "call", "pid": 7912, "cid": 5431 }, { "type": "call", "pid": 7912, "cid": 5432 }, { "type": "call", "pid": 7912, "cid": 5433 }, { "type": "call", "pid": 7912, "cid": 5471 }, { "type": "call", "pid": 7912, "cid": 5545 }, { "type": "call", "pid": 7912, "cid": 5546 }, { "type": "call", "pid": 7912, "cid": 5547 }, { "type": "call", "pid": 7912, "cid": 5633 }, { "type": "call", "pid": 7912, "cid": 5634 }, { "type": "call", "pid": 7912, "cid": 5635 }, { "type": "call", "pid": 7912, "cid": 5699 }, { "type": "call", "pid": 7912, "cid": 5700 }, { "type": "call", "pid": 7912, "cid": 5701 }, { "type": "call", "pid": 7912, "cid": 5756 }, { "type": "call", "pid": 7912, "cid": 5759 }, { "type": "call", "pid": 7912, "cid": 5825 }, { "type": "call", "pid": 7912, "cid": 5826 }, { "type": "call", "pid": 7912, "cid": 5827 }, { "type": "call", "pid": 7912, "cid": 5871 }, { "type": "call", "pid": 7912, "cid": 5872 }, { "type": "call", "pid": 7912, "cid": 5873 }, { "type": "call", "pid": 7912, "cid": 5945 }, { "type": "call", "pid": 7912, "cid": 5946 }, { "type": "call", "pid": 7912, "cid": 5948 }, { "type": "call", "pid": 7912, "cid": 5995 }, { "type": "call", "pid": 7912, "cid": 5997 }, { "type": "call", "pid": 7912, "cid": 6142 }, { "type": "call", "pid": 7912, "cid": 6144 }, { "type": "call", "pid": 7912, "cid": 6272 }, { "type": "call", "pid": 7912, "cid": 6274 }, { "type": "call", "pid": 7912, "cid": 6275 }, { "type": "call", "pid": 7912, "cid": 6387 }, { "type": "call", "pid": 7912, "cid": 6570 }, { "type": "call", "pid": 7912, "cid": 6571 }, { "type": "call", "pid": 7912, "cid": 6572 }, { "type": "call", "pid": 7912, "cid": 6605 }, { "type": "call", "pid": 7912, "cid": 6606 }, { "type": "call", "pid": 7912, "cid": 6607 }, { "type": "call", "pid": 7912, "cid": 6640 }, { "type": "call", "pid": 7912, "cid": 6641 }, { "type": "call", "pid": 7912, "cid": 6642 }, { "type": "call", "pid": 7912, "cid": 6677 }, { "type": "call", "pid": 7912, "cid": 6678 }, { "type": "call", "pid": 7912, "cid": 6679 }, { "type": "call", "pid": 7912, "cid": 6698 }, { "type": "call", "pid": 7912, "cid": 6699 }, { "type": "call", "pid": 7912, "cid": 6700 }, { "type": "call", "pid": 7912, "cid": 6733 }, { "type": "call", "pid": 7912, "cid": 6734 }, { "type": "call", "pid": 7912, "cid": 6735 }, { "type": "call", "pid": 7912, "cid": 6771 }, { "type": "call", "pid": 7912, "cid": 6772 }, { "type": "call", "pid": 7912, "cid": 6773 }, { "type": "call", "pid": 7912, "cid": 6806 }, { "type": "call", "pid": 7912, "cid": 6807 }, { "type": "call", "pid": 7912, "cid": 6808 }, { "type": "call", "pid": 7912, "cid": 6871 }, { "type": "call", "pid": 7912, "cid": 6872 }, { "type": "call", "pid": 7912, "cid": 6873 }, { "type": "call", "pid": 7912, "cid": 6907 }, { "type": "call", "pid": 7912, "cid": 6908 }, { "type": "call", "pid": 7912, "cid": 6909 }, { "type": "call", "pid": 7912, "cid": 6930 }, { "type": "call", "pid": 7912, "cid": 6931 }, { "type": "call", "pid": 7912, "cid": 6932 }, { "type": "call", "pid": 7912, "cid": 7847 }, { "type": "call", "pid": 7912, "cid": 7848 }, { "type": "call", "pid": 7912, "cid": 7849 }, { "type": "call", "pid": 7912, "cid": 7909 }, { "type": "call", "pid": 7912, "cid": 7910 }, { "type": "call", "pid": 7912, "cid": 7911 }, { "type": "call", "pid": 7912, "cid": 7944 }, { "type": "call", "pid": 7912, "cid": 7945 }, { "type": "call", "pid": 7912, "cid": 7946 }, { "type": "call", "pid": 7912, "cid": 8220 }, { "type": "call", "pid": 7912, "cid": 8221 }, { "type": "call", "pid": 7912, "cid": 8222 }, { "type": "call", "pid": 7912, "cid": 8262 }, { "type": "call", "pid": 7912, "cid": 8263 }, { "type": "call", "pid": 7912, "cid": 8264 }, { "type": "call", "pid": 7912, "cid": 8291 }, { "type": "call", "pid": 7912, "cid": 8292 }, { "type": "call", "pid": 7912, "cid": 8293 }, { "type": "call", "pid": 7912, "cid": 8324 }, { "type": "call", "pid": 7912, "cid": 8325 }, { "type": "call", "pid": 7912, "cid": 8326 }, { "type": "call", "pid": 7912, "cid": 8359 }, { "type": "call", "pid": 7912, "cid": 8360 }, { "type": "call", "pid": 7912, "cid": 8361 }, { "type": "call", "pid": 7912, "cid": 8382 }, { "type": "call", "pid": 7912, "cid": 8383 }, { "type": "call", "pid": 7912, "cid": 8384 }, { "type": "call", "pid": 7912, "cid": 8417 }, { "type": "call", "pid": 7912, "cid": 8418 }, { "type": "call", "pid": 7912, "cid": 8419 }, { "type": "call", "pid": 7912, "cid": 8440 }, { "type": "call", "pid": 7912, "cid": 8441 }, { "type": "call", "pid": 7912, "cid": 8442 }, { "type": "call", "pid": 7912, "cid": 8463 }, { "type": "call", "pid": 7912, "cid": 8464 }, { "type": "call", "pid": 7912, "cid": 8465 }, { "type": "call", "pid": 7912, "cid": 8486 }, { "type": "call", "pid": 7912, "cid": 8487 }, { "type": "call", "pid": 7912, "cid": 8488 }, { "type": "call", "pid": 7912, "cid": 8509 }, { "type": "call", "pid": 7912, "cid": 8510 }, { "type": "call", "pid": 7912, "cid": 8511 }, { "type": "call", "pid": 7912, "cid": 8532 }, { "type": "call", "pid": 7912, "cid": 8533 }, { "type": "call", "pid": 7912, "cid": 8534 }, { "type": "call", "pid": 7912, "cid": 8555 }, { "type": "call", "pid": 7912, "cid": 8556 }, { "type": "call", "pid": 7912, "cid": 8557 }, { "type": "call", "pid": 7912, "cid": 8578 }, { "type": "call", "pid": 7912, "cid": 8579 }, { "type": "call", "pid": 7912, "cid": 8580 }, { "type": "call", "pid": 7912, "cid": 8613 }, { "type": "call", "pid": 7912, "cid": 8614 }, { "type": "call", "pid": 7912, "cid": 8615 }, { "type": "call", "pid": 7912, "cid": 8642 }, { "type": "call", "pid": 7912, "cid": 8643 }, { "type": "call", "pid": 7912, "cid": 8644 }, { "type": "call", "pid": 7912, "cid": 8679 }, { "type": "call", "pid": 7912, "cid": 8680 }, { "type": "call", "pid": 7912, "cid": 8681 }, { "type": "call", "pid": 7912, "cid": 8825 }, { "type": "call", "pid": 7912, "cid": 8826 }, { "type": "call", "pid": 7912, "cid": 8827 }, { "type": "call", "pid": 7912, "cid": 15561 }, { "type": "call", "pid": 7912, "cid": 15562 }, { "type": "call", "pid": 7912, "cid": 15563 }, { "type": "call", "pid": 7912, "cid": 15600 }, { "type": "call", "pid": 7912, "cid": 15601 }, { "type": "call", "pid": 7912, "cid": 15602 }, { "type": "call", "pid": 7912, "cid": 15675 }, { "type": "call", "pid": 7912, "cid": 15676 }, { "type": "call", "pid": 7912, "cid": 15677 }, { "type": "call", "pid": 7912, "cid": 15710 }, { "type": "call", "pid": 7912, "cid": 15711 }, { "type": "call", "pid": 7912, "cid": 15712 }, { "type": "call", "pid": 7912, "cid": 15745 }, { "type": "call", "pid": 7912, "cid": 15746 }, { "type": "call", "pid": 7912, "cid": 15747 }, { "type": "call", "pid": 7912, "cid": 15780 }, { "type": "call", "pid": 7912, "cid": 15781 }, { "type": "call", "pid": 7912, "cid": 15782 }, { "type": "call", "pid": 7912, "cid": 15815 }, { "type": "call", "pid": 7912, "cid": 15816 }, { "type": "call", "pid": 7912, "cid": 15817 }, { "type": "call", "pid": 7912, "cid": 15856 }, { "type": "call", "pid": 7912, "cid": 15857 }, { "type": "call", "pid": 7912, "cid": 15858 }, { "type": "call", "pid": 7912, "cid": 15891 }, { "type": "call", "pid": 7912, "cid": 15892 }, { "type": "call", "pid": 7912, "cid": 15893 }, { "type": "call", "pid": 7912, "cid": 15926 }, { "type": "call", "pid": 7912, "cid": 15927 }, { "type": "call", "pid": 7912, "cid": 15928 }, { "type": "call", "pid": 7912, "cid": 15961 }, { "type": "call", "pid": 7912, "cid": 15962 }, { "type": "call", "pid": 7912, "cid": 15963 }, { "type": "call", "pid": 7912, "cid": 15996 }, { "type": "call", "pid": 7912, "cid": 15997 }, { "type": "call", "pid": 7912, "cid": 15998 }, { "type": "call", "pid": 7912, "cid": 16031 }, { "type": "call", "pid": 7912, "cid": 16032 }, { "type": "call", "pid": 7912, "cid": 16033 }, { "type": "call", "pid": 7912, "cid": 16066 }, { "type": "call", "pid": 7912, "cid": 16067 }, { "type": "call", "pid": 7912, "cid": 16068 }, { "type": "call", "pid": 7912, "cid": 16101 }, { "type": "call", "pid": 7912, "cid": 16102 }, { "type": "call", "pid": 7912, "cid": 16103 }, { "type": "call", "pid": 7912, "cid": 16136 }, { "type": "call", "pid": 7912, "cid": 16137 }, { "type": "call", "pid": 7912, "cid": 16138 }, { "type": "call", "pid": 7912, "cid": 16171 }, { "type": "call", "pid": 7912, "cid": 16172 }, { "type": "call", "pid": 7912, "cid": 16173 }, { "type": "call", "pid": 7912, "cid": 16206 }, { "type": "call", "pid": 7912, "cid": 16207 }, { "type": "call", "pid": 7912, "cid": 16208 }, { "type": "call", "pid": 7912, "cid": 16241 }, { "type": "call", "pid": 7912, "cid": 16242 }, { "type": "call", "pid": 7912, "cid": 16243 }, { "type": "call", "pid": 7912, "cid": 16276 }, { "type": "call", "pid": 7912, "cid": 16277 }, { "type": "call", "pid": 7912, "cid": 16278 }, { "type": "call", "pid": 7912, "cid": 16314 }, { "type": "call", "pid": 7912, "cid": 16315 }, { "type": "call", "pid": 7912, "cid": 16316 }, { "type": "call", "pid": 7912, "cid": 16351 }, { "type": "call", "pid": 7912, "cid": 16352 }, { "type": "call", "pid": 7912, "cid": 16353 }, { "type": "call", "pid": 7912, "cid": 16386 }, { "type": "call", "pid": 7912, "cid": 16387 }, { "type": "call", "pid": 7912, "cid": 16388 }, { "type": "call", "pid": 7912, "cid": 16421 }, { "type": "call", "pid": 7912, "cid": 16422 }, { "type": "call", "pid": 7912, "cid": 16423 }, { "type": "call", "pid": 7912, "cid": 16456 }, { "type": "call", "pid": 7912, "cid": 16457 }, { "type": "call", "pid": 7912, "cid": 16458 }, { "type": "call", "pid": 7912, "cid": 16491 }, { "type": "call", "pid": 7912, "cid": 16492 }, { "type": "call", "pid": 7912, "cid": 16493 }, { "type": "call", "pid": 7912, "cid": 16526 }, { "type": "call", "pid": 7912, "cid": 16527 }, { "type": "call", "pid": 7912, "cid": 16528 }, { "type": "call", "pid": 7912, "cid": 16563 }, { "type": "call", "pid": 7912, "cid": 16564 }, { "type": "call", "pid": 7912, "cid": 16565 }, { "type": "call", "pid": 7912, "cid": 16598 }, { "type": "call", "pid": 7912, "cid": 16599 }, { "type": "call", "pid": 7912, "cid": 16600 }, { "type": "call", "pid": 7912, "cid": 16633 }, { "type": "call", "pid": 7912, "cid": 16634 }, { "type": "call", "pid": 7912, "cid": 16635 }, { "type": "call", "pid": 7912, "cid": 16693 }, { "type": "call", "pid": 7912, "cid": 16694 }, { "type": "call", "pid": 7912, "cid": 16695 }, { "type": "call", "pid": 7912, "cid": 16759 }, { "type": "call", "pid": 7912, "cid": 16760 }, { "type": "call", "pid": 7912, "cid": 16761 }, { "type": "call", "pid": 7912, "cid": 16796 }, { "type": "call", "pid": 7912, "cid": 16797 }, { "type": "call", "pid": 7912, "cid": 16798 }, { "type": "call", "pid": 7912, "cid": 16860 }, { "type": "call", "pid": 7912, "cid": 16861 }, { "type": "call", "pid": 7912, "cid": 16862 }, { "type": "call", "pid": 7912, "cid": 16937 }, { "type": "call", "pid": 7912, "cid": 16938 }, { "type": "call", "pid": 7912, "cid": 16939 }, { "type": "call", "pid": 7912, "cid": 16978 }, { "type": "call", "pid": 7912, "cid": 16979 }, { "type": "call", "pid": 7912, "cid": 16980 }, { "type": "call", "pid": 7912, "cid": 17051 }, { "type": "call", "pid": 7912, "cid": 17052 }, { "type": "call", "pid": 7912, "cid": 17053 }, { "type": "call", "pid": 7912, "cid": 17097 }, { "type": "call", "pid": 7912, "cid": 17098 }, { "type": "call", "pid": 7912, "cid": 17099 }, { "type": "call", "pid": 7912, "cid": 17204 }, { "type": "call", "pid": 7912, "cid": 17205 }, { "type": "call", "pid": 7912, "cid": 17206 }, { "type": "call", "pid": 7912, "cid": 17319 }, { "type": "call", "pid": 7912, "cid": 17320 }, { "type": "call", "pid": 7912, "cid": 17321 }, { "type": "call", "pid": 7912, "cid": 17354 }, { "type": "call", "pid": 7912, "cid": 17355 }, { "type": "call", "pid": 7912, "cid": 17356 }, { "type": "call", "pid": 7912, "cid": 17377 }, { "type": "call", "pid": 7912, "cid": 17378 }, { "type": "call", "pid": 7912, "cid": 17379 }, { "type": "call", "pid": 7912, "cid": 17400 }, { "type": "call", "pid": 7912, "cid": 17401 }, { "type": "call", "pid": 7912, "cid": 17402 }, { "type": "call", "pid": 7912, "cid": 17427 }, { "type": "call", "pid": 7912, "cid": 17428 }, { "type": "call", "pid": 7912, "cid": 17429 }, { "type": "call", "pid": 7912, "cid": 17450 }, { "type": "call", "pid": 7912, "cid": 17451 }, { "type": "call", "pid": 7912, "cid": 17452 }, { "type": "call", "pid": 7912, "cid": 17473 }, { "type": "call", "pid": 7912, "cid": 17474 }, { "type": "call", "pid": 7912, "cid": 17475 }, { "type": "call", "pid": 7912, "cid": 17496 }, { "type": "call", "pid": 7912, "cid": 17497 }, { "type": "call", "pid": 7912, "cid": 17498 }, { "type": "call", "pid": 7912, "cid": 17519 }, { "type": "call", "pid": 7912, "cid": 17520 }, { "type": "call", "pid": 7912, "cid": 17521 }, { "type": "call", "pid": 7912, "cid": 17554 }, { "type": "call", "pid": 7912, "cid": 17555 }, { "type": "call", "pid": 7912, "cid": 17556 }, { "type": "call", "pid": 7912, "cid": 17577 }, { "type": "call", "pid": 7912, "cid": 17578 }, { "type": "call", "pid": 7912, "cid": 17579 }, { "type": "call", "pid": 7912, "cid": 18129 }, { "type": "call", "pid": 7912, "cid": 18130 }, { "type": "call", "pid": 7912, "cid": 18131 }, { "type": "call", "pid": 7912, "cid": 18167 }, { "type": "call", "pid": 7912, "cid": 18168 }, { "type": "call", "pid": 7912, "cid": 18169 }, { "type": "call", "pid": 7912, "cid": 18216 }, { "type": "call", "pid": 7912, "cid": 18217 }, { "type": "call", "pid": 7912, "cid": 18218 }, { "type": "call", "pid": 7912, "cid": 18279 }, { "type": "call", "pid": 7912, "cid": 18280 }, { "type": "call", "pid": 7912, "cid": 18281 }, { "type": "call", "pid": 7912, "cid": 18344 }, { "type": "call", "pid": 7912, "cid": 18345 }, { "type": "call", "pid": 7912, "cid": 18346 }, { "type": "call", "pid": 7912, "cid": 18379 }, { "type": "call", "pid": 7912, "cid": 18380 }, { "type": "call", "pid": 7912, "cid": 18381 }, { "type": "call", "pid": 7912, "cid": 18981 }, { "type": "call", "pid": 7912, "cid": 18982 }, { "type": "call", "pid": 7912, "cid": 18983 }, { "type": "call", "pid": 7912, "cid": 19206 }, { "type": "call", "pid": 7912, "cid": 19207 }, { "type": "call", "pid": 7912, "cid": 19208 }, { "type": "call", "pid": 7912, "cid": 19300 }, { "type": "call", "pid": 7912, "cid": 19301 }, { "type": "call", "pid": 7912, "cid": 19302 }, { "type": "call", "pid": 7912, "cid": 19335 }, { "type": "call", "pid": 7912, "cid": 19336 }, { "type": "call", "pid": 7912, "cid": 19337 }, { "type": "call", "pid": 7912, "cid": 19358 }, { "type": "call", "pid": 7912, "cid": 19359 }, { "type": "call", "pid": 7912, "cid": 19360 }, { "type": "call", "pid": 7912, "cid": 19468 }, { "type": "call", "pid": 7912, "cid": 19469 }, { "type": "call", "pid": 7912, "cid": 19470 }, { "type": "call", "pid": 7912, "cid": 19491 }, { "type": "call", "pid": 7912, "cid": 19492 }, { "type": "call", "pid": 7912, "cid": 19493 }, { "type": "call", "pid": 7912, "cid": 19514 }, { "type": "call", "pid": 7912, "cid": 19515 }, { "type": "call", "pid": 7912, "cid": 19516 }, { "type": "call", "pid": 7912, "cid": 19537 }, { "type": "call", "pid": 7912, "cid": 19538 }, { "type": "call", "pid": 7912, "cid": 19539 }, { "type": "call", "pid": 7912, "cid": 20189 }, { "type": "call", "pid": 7912, "cid": 20190 }, { "type": "call", "pid": 7912, "cid": 20191 }, { "type": "call", "pid": 7912, "cid": 20854 }, { "type": "call", "pid": 7912, "cid": 20855 }, { "type": "call", "pid": 7912, "cid": 20856 }, { "type": "call", "pid": 7912, "cid": 21009 }, { "type": "call", "pid": 7912, "cid": 21010 }, { "type": "call", "pid": 7912, "cid": 21011 }, { "type": "call", "pid": 7912, "cid": 22937 }, { "type": "call", "pid": 7912, "cid": 22938 }, { "type": "call", "pid": 7912, "cid": 22939 }, { "type": "call", "pid": 7912, "cid": 23889 }, { "type": "call", "pid": 7912, "cid": 23890 }, { "type": "call", "pid": 7912, "cid": 23891 }, { "type": "call", "pid": 7912, "cid": 23912 }, { "type": "call", "pid": 7912, "cid": 23913 }, { "type": "call", "pid": 7912, "cid": 23914 }, { "type": "call", "pid": 7912, "cid": 23935 }, { "type": "call", "pid": 7912, "cid": 23936 }, { "type": "call", "pid": 7912, "cid": 23937 }, { "type": "call", "pid": 7912, "cid": 23958 }, { "type": "call", "pid": 7912, "cid": 23959 }, { "type": "call", "pid": 7912, "cid": 23960 }, { "type": "call", "pid": 7912, "cid": 23981 }, { "type": "call", "pid": 7912, "cid": 23982 }, { "type": "call", "pid": 7912, "cid": 23983 }, { "type": "call", "pid": 7912, "cid": 24004 }, { "type": "call", "pid": 7912, "cid": 24005 }, { "type": "call", "pid": 7912, "cid": 24006 }, { "type": "call", "pid": 7912, "cid": 24589 }, { "type": "call", "pid": 7912, "cid": 24590 }, { "type": "call", "pid": 7912, "cid": 24591 }, { "type": "call", "pid": 7912, "cid": 24612 }, { "type": "call", "pid": 7912, "cid": 24613 }, { "type": "call", "pid": 7912, "cid": 24614 }, { "type": "call", "pid": 7912, "cid": 25531 }, { "type": "call", "pid": 7912, "cid": 25532 }, { "type": "call", "pid": 7912, "cid": 25533 }, { "type": "call", "pid": 7912, "cid": 25862 }, { "type": "call", "pid": 7912, "cid": 25863 }, { "type": "call", "pid": 7912, "cid": 25864 }, { "type": "call", "pid": 7912, "cid": 25928 }, { "type": "call", "pid": 7912, "cid": 25929 }, { "type": "call", "pid": 7912, "cid": 25930 }, { "type": "call", "pid": 7912, "cid": 26144 }, { "type": "call", "pid": 7912, "cid": 26145 }, { "type": "call", "pid": 7912, "cid": 26146 }, { "type": "call", "pid": 7912, "cid": 26269 }, { "type": "call", "pid": 7912, "cid": 26270 }, { "type": "call", "pid": 7912, "cid": 26271 }, { "type": "call", "pid": 7912, "cid": 26536 }, { "type": "call", "pid": 7912, "cid": 26537 }, { "type": "call", "pid": 7912, "cid": 26538 } ], "new_data": [], "alert": false, "families": [] }, { "name": "discover_registry_mount_points", "description": "Queries registry mount points to identify historical or connected removable/network drives", "categories": [ "discovery", "ransomware", "wiper" ], "severity": 2, "weight": 1, "confidence": 20, "references": [], "data": [ { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\Data" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Data" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Data" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-100000000000}\\" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{e32a94c0-5af2-11f1-ae2c-806e6f6e6963}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-300300000000}\\Generation" }, { "mount_point_key": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{528c102f-0000-0000-0000-c0dd0e000000}\\Data" } ], "new_data": [], "alert": false, "families": [] }, { "name": "antisandbox_unhook", "description": "Tries to unhook or modify Windows functions monitored by CAPE", "categories": [ "anti-sandbox" ], "severity": 3, "weight": 1, "confidence": 60, "references": [], "data": [ { "type": "call", "pid": 10720, "cid": 4618 }, { "unhook": "function_name: CommandLineToArgvW, type: restored" } ], "new_data": [], "alert": false, "families": [] }, { "name": "hardware_id_profiling", "description": "Queries the Volume Serial Number or Physical Hardware ID, possibly for anti-sandbox, victim profiling or environmental keying", "categories": [ "evasion", "recon", "anti-sandbox" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 11403 }, { "type": "call", "pid": 7912, "cid": 11404 }, { "type": "call", "pid": 7912, "cid": 11405 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antivm_display", "description": "Attempts to query display device information, possibly to determine if the process is running in a virtualized environment", "categories": [ "anti-vm" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 14399 }, { "type": "call", "pid": 7912, "cid": 14400 } ], "new_data": [], "alert": false, "families": [] }, { "name": "suspicious_iocontrol_codes", "description": "Uses suspicious IO control codes, indicative of disk enumeration or a bootkit/wiper", "categories": [ "bootkit", "rootkit", "wiper" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 7912, "cid": 11403 }, { "type": "call", "pid": 7912, "cid": 11404 }, { "type": "call", "pid": 7912, "cid": 11405 }, { "type": "call", "pid": 7912, "cid": 11406 }, { "type": "call", "pid": 7912, "cid": 11414 }, { "type": "call", "pid": 7912, "cid": 11422 }, { "type": "call", "pid": 7912, "cid": 11435 }, { "type": "call", "pid": 7912, "cid": 11446 } ], "new_data": [], "alert": false, "families": [] }, { "name": "recon_fingerprint", "description": "Collects information to fingerprint the system", "categories": [ "discovery" ], "severity": 3, "weight": 1, "confidence": 75, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 10.0, "ttps": [ { "signature": "mouse_movement_detect", "ttps": [ "T1497" ], "mbcs": [] }, { "signature": "antisandbox_unhook", "ttps": [ "T1562.001", "T1562" ], "mbcs": [ "OB0001", "B0003", "OB0006", "F0004", "F0004.003" ] }, { "signature": "hardware_id_profiling", "ttps": [ "T1082" ], "mbcs": [ "E1082", "E1480.001" ] }, { "signature": "antivm_display", "ttps": [ "T1082" ], "mbcs": [] }, { "signature": "antivm_checks_available_memory", "ttps": [ "T1082" ], "mbcs": [] }, { "signature": "suspicious_iocontrol_codes", "ttps": [ "T1542.003" ], "mbcs": [] }, { "signature": "privilege_elevation_check", "ttps": [ "T1033", "T1082" ], "mbcs": [] }, { "signature": "query_fips_reconnaissance", "ttps": [ "T1082" ], "mbcs": [] }, { "signature": "mountpoints_volume_discovery", "ttps": [ "T1082" ], "mbcs": [] }, { "signature": "dllload_suspicious_directory", "ttps": [ "T1574" ], "mbcs": [ "F0015" ] }, { "signature": "registers_vectored_exception_handler", "ttps": [ "T1055", "T1574" ], "mbcs": [] }, { "signature": "creates_suspended_process", "ttps": [ "T1055" ], "mbcs": [] }, { "signature": "resumethread_remote_process", "ttps": [ "T1055" ], "mbcs": [] }, { "signature": "accesses_public_folder", "ttps": [ "T1548", "T1036" ], "mbcs": [] }, { "signature": "discover_registry_mount_points", "ttps": [ "T1082" ], "mbcs": [] }, { "signature": "recon_fingerprint", "ttps": [ "T1012", "T1082" ], "mbcs": [ "OB0007", "E1082", "OC0008", "C0036" ] } ], "malstatus": "Malicious" }